Chris,
In tomcat 7.0.68 we added SSLv2Hello to allow our clients to connect but
that do not work in versions after that. Maybe they changed the meaning
of that protocol addition.
However, I changed the C++ POCO client to only use TLSv1.x and removed
the SSLv2Hello protocol from tomcat config.
Works fine. I just need to change our reference implementation in python
to stop using SSL23 too (which I do not know how to yet but that's
another story).
I'm still learning the client and server parts of https and your
valuable information is really helpful.
Thanks for your help,
Magnus
On 2016-09-28 17:48, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Magnus,
>
> On 9/28/16 2:20 AM, Persson, Magnus (SE-TLX) wrote:
>> The java servlet (in webapps folder) was written by a consultant
>> and I have only looked at parts of the source code and don't know
>> all that it does.
>>
>> The purpose is to give external integrators a way in to our
>> software through a REST API. We have made a reference client in
>> python that connects, creates a session and can send POST, GET,
>> DELETE, etc.
> Understood. The implementation of the servlet is largely irrelevant,
> since Tomcat is handling the TLS configuration.
>
>> This sample client will get this 'hello' ssl error with tomcat
>> versions greater than 7.0.68. I have also tested a client in c++
>> that uses the POCO library. Same hello error.
> So you are using a C++ client using POCO. It looks like POCO is using
> OpenSSL under the hood.
>
>> Since we have only specified the TLSv1.x protocols in the tomcat
>> config I assume the initial hello request is encapsulated in an
>> SSL2 frame by one of the TLSv1.x protocols.
> That's not the exact mechanics, but it's close enough. The problem is
> that the TLS handshake is not compatible with the SSLv2Hello-based
> one. So if the server supports only TLS and the client is expecting to
> be able to initiate an SSLv2Hello, then the client will get an error.
>
>> The purpose of adding TLSv2Hello was to allow this initial hello
>> request.
> Understood.
>
>> If the problem is the java servlet I'd like to correct it to not
>> encapsulate the hello request in an SSLv2/SSLv3 frame. Could this
>> be the problem or is it in the calling client?
> You can't fix the client's behavior by modifying the server.
>
> If you want to use only TLSv1 or later, then the best thing to do
> would be to update the client to only use TLS and not use SSL at all.
>
> On the other hand, SSLv2Hello *should* work from within Tomcat. With a
> fresh Tomcat, if you add "SSLv2Hello" to the sslEnabledProtocols list,
> can you make a connection from a client that supports TLSv1+ and uses
> a SSLv2Hello handshake?
>
> - -chris
>
>> On 2016-09-27 23:07, Christopher Schultz wrote: Magnus,
>>
>> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>>>>> We started out with tomcat 7.0.35 and got that running with
>>>>> our REST servlet.
>>>>>
>>>>> When we upgraded to tomcat 7.0.63 we got this error when we
>>>>> tried to create a new session:
>>>>>
>>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>>> failure" }
>> This is an error message from OpenSSL. Is this the client that is
>> choking, or the server?
>>
>>>>> Through Google we found out that we needed to add
>>>>> "SSLv2Hello" to the enabled protocols so we changed our
>>>>> connector in server.xml like this (only added SSLv2Hello):
>>>>>
>>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>>>> maxThreads="150" scheme="https" secure="true"
>>>>> keystoreFile="${catalina.base}/conf/keystore"
>>>>> keystorePass="*" clientAuth="false" sslProtocol="TLS"
>>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>>>> URIEncoding="UTF-8" />
>>>>>
>>>>> We upgraded to tomcat 7.0.68 and it works fine with above
>>>>> connector in server.xml
>> Do you absolutely need to accept SSLv2Hello-formatted handshakes?
>> Most of the web has abandoned SSLv3 and below at this point, so
>> SSLv2Hello should no longer be necessary.
>>
>>>>> When we upgraded to tomcat 7.0.70 we got the sslv3 error
>>>>> again even though we have SSLv2Hello in the enabled
>>>>> protocols:
>>>>>
>>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>>> failure" }
>>>>>
>>>>> What do we need to change in the server.xml file to bypass
>>>>> the ssl3 error this time?
>> That depends upon where you are actually getting that error.
>>
>> -chris
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
> - -------------------------
>>>
> This E-mail is PLAIN text, not support HTML, see instruction below on
> how to report SPAM.
>>> ---------------------------------------------------------------------
> - --------------------------
>>>
> To submit spam as an attachment to an email message using a mail client:
>>> 1. Open a new email message. 2. Drag the spam email from the
>>> Inbox into the new email message. 3. Enter a...@websense.com in
>>> the To field. 4. Click Send.
>>> ---------------------------------------------------------------------
> - --------------------------
>> ---------------------------------------------------------------------
>>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX6+ZVAAoJEBzwKT+lPKRYKWoP/1pgpqvnsSh1gT1jIYbPGPNs
> uWMdmC4v1t/mlgC6bwz3GFyTpWlPQWGOIgX4bBbmP8ZSOMu9AjkWG6Jae5Mw2JAa
> SKiWaNy11P8ChZa5F2V812koK8DEPDYIdr3ZTmZvvBfTxQ79Z/kMcHWTjODO9T2S
> apltiMaNPO+nYR9PFwtNA7uM4ZodOfhlToies1B3MqoaneEx3UUcQpq0g8Bb9Kmj
> n8fyKVLuTltGbDu7Sh6kGeia3hRhDJyyjsS8R85dA02jtmX6i+GiPJOaR4b7wXp1
> MrQsN5LByUIeYpBIg8qbLC7+3qqydtVTtGmqDyRiRDNHhUAeG+7APq2lYoR1GVwG
> qML9UVaJU69cXlA+NhsLPiGBefu3+U9WePoViu8VoLxQ9LTJFhrJSgq1U5nsrP62
> YGnzl7DGYJXr3OWBc+SicyXrpSrjupYlofgM6f0zytQw0tFWD4SZfqjyjkYh+Oi9
> KTZ3mZ6vx9CuvStPiKw7MWrrrXmc9fEoekBcrYY70cOwrlI1ZN+vIsUMrtRCwVHE
> 495UgvzBRNy/M32VtLRpf5PHr0K/DFRxETLwDMailaCSfD2LuWU4kTTRR7FUilO6
> QkzL/v3mfA/a1BLSx4KiKSnSCPzzf1FaVvWQJt4c3NZdv26gDXkGuabnyFJ5XrXr
> xAIXPFqW8Xf4gNApIKq6
> =i4/b
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
