On 21.02.2012 21:41, Mark Anthony wrote:
Referring to http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279&view=log there something thats broke that does not support TLSv1+SSLv3.
No it didn't break it.
Tomcat Version 6.0.35 APR Details : INFO: Loaded APR based Apache Tomcat Native library 1.1.22. Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Tomcat Server.xml <Connector port="30002" SSLCipherSuite="HIGH:!ADH:!MD5" SSLCertificateFile="/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.crt" SSLCertificateKeyFile="/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.key" SSLPassword="xxx" SSLProtocol="TLSv1+SSLv3" address="0.0.0.0" SSLEnabled="true"
TLSv1+SSLv3 is not allowed for Tomcat 6. It might be possible in the forthcoming version 6.0.36. It does work for Tomcat 7.
maxThreads="150" scheme="https" secure="true"/> Error noticed in logs: -- Feb 19, 2012 10:22:57 PM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the SSLProtocol attribute at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:724) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at org.apache.catalina.connector.Connector.initialize(Connector.java:1049) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Feb 19, 2012 10:22:57 PM org.apache.catalina.core.StandardService initialize SEVERE: Failed to initialize connector [Connector[HTTP/1.1-30002]] LifecycleException: Protocol handler initialization failed: java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the SSLProtocol attribute at org.apache.catalina.connector.Connector.initialize(Connector.java:1051) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Feb 19, 2012 10:22:57 PM org.apache.coyote.ajp.AjpAprProtocol init Is there a work around to this issue.
Tomcat 6 does not allow that combination. If you didn't get an error message with older releases this does not mean that it has actuzally worked.
Tomcat 6.0.35 does not work with older 1.1.20 of the APR
Why do you think so?
Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: An older version 1.1.20 of the APR based Apache Tomcat Native library is installed, while Tomcat recommends version greater than 1.1.22
This is an info message containing a recommendation. Not an error.
Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.20. Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-0.0.0.0-30221 Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the SSLProtocol attribute
True, this value is not allowed, neither for Tomcat 6, nor for TC native 1.1.20.
Either switch to TC 7 or use some other protocol setting, like "ALL". With a little luck, the next Tomcat 6 release will have that feature backported from TC 7.
You can also apply the patch from http://people.apache.org/~rjung/patches/tc6-apr-all-sslprotocol-r1145209.patch and rebuild Tomcat 6. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org