2011/11/6 Kobe <r...@mailcity.com>: > > I build tcnative and apr from src with exist ver of openssl (means openssl > not > build my me). I load apr connector in tomcat as below. > > when my client connect, I cannot connect: i get "bad version". > please explain what I do wrong? > > > server# ./apr-1-config --version > 1.4.5 > server# > server# openssl version > OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > server# > > /// APR Connector Configuration in Tomcat6 > <Connector port="443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > SSLCertificateFile="server_certificate.pem" > SSLCertificateChainFile="cachain.pem" > SSLCertificateKeyFile="server.key" > /> > > > $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: And what happens with $ openssl s_client -connect server.xxx.net:443 -debug -tls1 ? What is on line 293 in s3_pkt.c in the version of openssl the client side of the connection is using? I quick guess that client&server cannot negotiate protocol version. There are some options on <Connector> that might be used to configure protocols & ciphers that are supported. Note that - There were several security fixes in OpenSSL since that version that you are using. - You may try googling for your error message. It is mentioned a lot of times. - You are not mentioning what version of Tomcat x.y.z you are using. - There might be some messages in Tomcat log files. Does Tomcat start up cleanly? Re: Andre's question: That is openssl in command-line client mode, as a test whether it can connect to the server. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
