thank for your help. here is more info on my setup: tomcat version 6.0.29.
And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before ("bad version").
when i test with openssl s_client, I check line 293 of s3_pkt.c. it say -->
if ((version>>8) != SSL3_VERSION_MAJOR)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
goto err;
}
so client is wanting ssl version 3. But i have same error with browser. i
donot/cannot find what
version browser wants - i Think it is 3.
Konstantin Kolinko wrote:
>
> 2011/11/6 Kobe <[email protected]>:
>>
>> I build tcnative and apr from src with exist ver of openssl (means
>> openssl
>> not
>> build my me). I load apr connector in tomcat as below.
>>
>> when my client connect, I cannot connect: i get "bad version".
>> please explain what I do wrong?
>>
>>
>> server# ./apr-1-config --version
>> 1.4.5
>> server#
>> server# openssl version
>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>> server#
>>
>> /// APR Connector Configuration in Tomcat6
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> SSLCertificateFile="server_certificate.pem"
>> SSLCertificateChainFile="cachain.pem"
>> SSLCertificateKeyFile="server.key"
>> />
>>
>>
>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
>
>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
>
> And what happens with
> $ openssl s_client -connect server.xxx.net:443 -debug -tls1
> ?
>
> What is on line 293 in s3_pkt.c in the version of openssl the client
> side of the connection is using?
>
> I quick guess that client&server cannot negotiate protocol version.
> There are some options on <Connector> that might be used to configure
> protocols & ciphers that are supported.
>
> Note that
> - There were several security fixes in OpenSSL since that version that
> you are using.
> - You may try googling for your error message. It is mentioned a lot of
> times.
> - You are not mentioning what version of Tomcat x.y.z you are using.
> - There might be some messages in Tomcat log files. Does Tomcat start
> up cleanly?
>
> Re: Andre's question:
> That is openssl in command-line client mode, as a test whether it can
> connect to the server.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
>
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
