Re: SSL connect to APR fails - "bad version"

Tue, 08 Nov 2011 22:21:11 -0800 

thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:


     // from ${CATALINA_HOME}/bin/setenv.sh:
     export JAVA_OPTS="... -Djavax.net.debug=ssl"
     //...

   # sh ${CATALINA_HOME}/bin/startup.sh

   // from client
    $ openssl s_client -connect server.xxx.net:443 -debug -ssl3

   // from ${CATALINA_HOME}/logs/catalina.out
   ...
   sending SSLv2 ClientHello       <<----   server issues only SSLv2
ClientHello


But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.

many tahnks.

/Kobe


Christopher Schultz-2 wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Kobe,
> 
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>> 
>> if I use tls1, I get same error as before ("bad version").
>> 
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>> 
>> 
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>> 
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>> 
>> 
>> 
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
> 
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
> 
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
> 
> Why do you think you are getting an SSLv2 reply?
> 
>> how do i find this misconfigurn?
> 
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to