Re: SSLProtocol with TLSv1+SSLv3 or SSLv3+TLSv1 does not work APR based Apache Tomcat Native 1.1.20 or 1.1.22

[Konstantin Kolinko]

2012/2/22 Mark Anthony marcmanth...@yahoo.com:
 Referring to
 http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279view=log
 there something thats broke that does not support TLSv1+SSLv3.  Tomcat 
 Version 6.0.35  APR Details :
 INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
 Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init
 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
 random [true]. Tomcat Server.xml
 (...)


Read the docs - there is no such value as TLSv1+SSLv3.

The old versions just fall back to the value of all when facing an
unrecognized value.  The new version treats this misconfiguration as
fatal error.


Some time recently the support for arbitrary tls protocol combinations
was implemented in trunk, but that new feature has not been backported
to 6.0 yet. Note that it will require certain version of
Tomcat-Native.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSLProtocol with TLSv1+SSLv3 or SSLv3+TLSv1 does not work APR based Apache Tomcat Native 1.1.20 or 1.1.22

[Rainer Jung]

On 21.02.2012 21:41, Mark Anthony wrote:

Referring to
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279view=log
there something thats broke that does not support TLSv1+SSLv3.


No it didn't break it.


 Tomcat Version 6.0.35  APR Details :
INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true]. Tomcat Server.xml
Connector port=30002 SSLCipherSuite=HIGH:!ADH:!MD5
SSLCertificateFile=/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.crt
SSLCertificateKeyFile=/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.key
SSLPassword=xxx SSLProtocol=TLSv1+SSLv3 address=0.0.0.0 SSLEnabled=true


TLSv1+SSLv3 is not allowed for Tomcat 6. It might be possible in the 
forthcoming version 6.0.36. It does work for Tomcat 7.



maxThreads=150 scheme=https secure=true/  Error noticed in logs: --
Feb 19, 2012 10:22:57 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute at 
org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:724) at
org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at
org.apache.catalina.connector.Connector.initialize(Connector.java:1049) at
org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at 
org.apache.catalina.startup.Catalina.load(Catalina.java:538) at 
org.apache.catalina.startup.Catalina.load(Catalina.java:562) at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597) at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Feb 19, 2012 10:22:57 PM org.apache.catalina.core.StandardService initialize
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-30002]]
LifecycleException:  Protocol handler initialization failed:
java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute at
org.apache.catalina.connector.Connector.initialize(Connector.java:1051) at
org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at 
org.apache.catalina.startup.Catalina.load(Catalina.java:538) at 
org.apache.catalina.startup.Catalina.load(Catalina.java:562) at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597) at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Feb 19, 2012 10:22:57 PM org.apache.coyote.ajp.AjpAprProtocol init Is there a 
work around to this issue.


Tomcat 6 does not allow that combination. If you didn't get an error 
message with older releases this does not mean that it has actuzally worked.



Tomcat 6.0.35 does not work with older 1.1.20 of the APR


Why do you think so?


Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init

INFO: An older version 1.1.20 of the APR based Apache Tomcat Native library is
installed, while Tomcat recommends version greater than 1.1.22


This is an info message containing a recommendation. Not an error.


Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init

INFO: Loaded APR based Apache Tomcat Native library 1.1.20.

Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init

INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true].

Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init

INFO: Initializing Coyote HTTP/1.1 on http-0.0.0.0-30221

Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init

SEVERE: Error initializing endpoint

java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute


True, this value is not allowed, neither for Tomcat 6, nor for TC native 
1.1.20.


Either switch to TC 7 or use some other protocol setting, like ALL. 
With a little luck, the next Tomcat 6 release will have that feature 
backported from TC 7.


You can also apply the patch from

http://people.apache.org/~rjung/patches/tc6-apr-all-sslprotocol-r1145209.patch

and rebuild Tomcat 6.

Regards,

Rainer

-
To unsubscribe, e-mail: