Hi Kobe;
I can see why it looks like the server is sending the message, but I think
there's some reference that's being missed. The SSL debug should show Client
messages and Server messages.
One thing that's certain, the SSLv2 ClientHello is a client message sent by the
client. This message is never sent by the server.
On a separate note, the APR is very strict about enforcing TLSv1. When it's
configured for TLSv1, it immediately terminates the connection if it receives
any SSLv2 ClientHello or SSLv3 Client Hello. If you have a server with an
active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of
SSLProtocol is "all' (default), "SSLv2", "SSLv3", or "SSLv2+SSLv3".
Regards,
Steve
________________________________
From: users-return-229208-STEVEN.J.ADAMUS=saic....@tomcat.apache.org on behalf
of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - "bad version"
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS="... -Djavax.net.debug=ssl"
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello <<---- server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/>
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
