Well...we have not specified SSLv2 or SSLv3 so the initial HELLO must
come from TLSv1.x that encapsulate it in an SSLv2 frame.
The whole purpose of the enabling the "SSLv2Hello" protocol was to allow
the initial encapsulated hello frame.
However, with tomcat version greater than 7.0.68 this is no longer
possible. I do not know how to solve it.
We did not create the webapp (java servlet) inhouse so I do not know if
the problem is the app or the calling client.
I assume it is the webapp though. I have tried connecting with a simple
client written in python (protocols are not specified) and a C++ client
that uses the POCO library for the https REST requests.
Both clients receive the SSL23_GET_SERVER_HELLO:sslv3 error.
On 2016-09-27 16:46, Jose María Zaragoza wrote:
> 2016-09-27 16:29 GMT+02:00 Persson, Magnus (SE-TLX)
> <magnus.pers...@assaabloy.com>:
>> Hi,
>>
>> We started out with tomcat 7.0.35 and got that running with our REST
>> servlet.
>>
>> When we upgraded to tomcat 7.0.63 we got this error when we tried to
>> create a new session:
>>
>> {
>> "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
>> }
>>
>> Through Google we found out that we needed to add "SSLv2Hello" to the
>> enabled protocols so we changed our connector in server.xml like this
>> (only added SSLv2Hello):
>>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.base}/conf/keystore"
>> keystorePass="*" clientAuth="false"
>> sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>> URIEncoding="UTF-8" />
>>
>> We upgraded to tomcat 7.0.68 and it works fine with above connector in
>> server.xml
>>
>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>> though we have SSLv2Hello in the enabled protocols:
>>
>> {
>> "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
>> }
>>
>> What do we need to change in the server.xml file to bypass the ssl3
>> error this time?
> Hello:
>
>
> I'm not sure but you can try these options:
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
>
>
> Note that SSLv2 and SSLv3 are inherently unsafe.
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>
> ----------------------------------------------------------------------------------------------
> This E-mail is PLAIN text, not support HTML, see instruction below on how to
> report SPAM.
> -----------------------------------------------------------------------------------------------
> To submit spam as an attachment to an email message using a mail client:
> 1. Open a new email message.
> 2. Drag the spam email from the Inbox into the new email message.
> 3. Enter a...@websense.com in the To field.
> 4. Click Send.
> -----------------------------------------------------------------------------------------------
