I was using SSLProtocol=TLSv1 explicitly. However, when I switched to
all the health monitor kicked back in. Interestingly though, I decided to
switch it back to my original APR configuration (the one that was giving me
issues with the health monitor in the first place) and the monitor
continued to work. Not sure why it's working now but I'm leaving my APR
connector with SSLProtocol=all since that's what seemed to resolve my
issue.
Thanks!
On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Tadeusz,
On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote:
I'm in the process of upgrading our Tomcat servers to Tomcat 7
(7.0.57). I'm also trying to use the APR connector (TC-Native
1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM
10.2.1) that uses an HTTP health monitor to mark nodes up/down.
Prior to updating to the APR connector, I was using NIO, with
SSLv3 disabled, and the health monitor worked properly:
sslProtocol=TLS
sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
The SSLv2Hello is necessary, as the F5 health monitor uses this and
there's apparently no way to force TLS with the version that we're
on (when I don't explicitly include it, the health monitor fails).
There are also possibly some legacy applications that would be
using the pseudo-protocol as well.
When trying to use the APR connector (with SSLv3 being disabled),
the health monitor fails to connect. Some troubleshooting with
OpenSSL (0.9.8x) indicated that I need to force a connection with
-tls1 in order for it to connect (see my post at stackoverflow:
http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403
).
I'm assuming the issue is because SSLv2Hello is disabled with the
APR connector... is there any way to explicitly enable is, as I do
in the NIO connector?
What does your APR connector configuration look like? From your SO
post it looks like you have TLSv1 only. What if you try all (the
default)? This will include only TLS protocols when using Tomcat
7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it
looks like OpenSSL might use SSLv2hello when there is more than one
protocol supported.
Your other option is to simply re-enable SSLv3 on the Tomcat server
and use your firewall to prevent anyone from connecting except for
your load-balancer (which, presumably, you trust). SSLv3 is only risky
when you don't trust your clients.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUihRjAAoJEBzwKT+lPKRYPXgP+wXY1FshX5CbS7MREsSCXW3L
JijWrldOTzN/jWEmmMOKEmJ1ff3SXjUPR2z5o5lTT5fGRBb190f4hOxWLqJke48d
1GJTmufQfYBGHZ/Bp43G/3WqwtsvqqznOUWzajcN/Vt+HWMbmRT3u5V/ApTAC+I/
uhzSjj07QvfU27pK/fFzgMZsN9InPoV5uibnUUhabu+6xtkk4gLYxi2LKRJjlM0j
HX7SQ0cnqpOxjqMDmQLVyaMLDI80e1XYGdtkEDnYYQQApe7eHHIyk9QrrEoNufpJ
VMuX/A7sX1f/kHvUQSey16YTBW/ujPFCjGG/j7Te32f4sHTE5eB1RdTdqpinlu5g
+2Ltm0t8tuczHsqogFB4+5M78jNcNCKBr3Gpq1CpxUdib3gmsTg9PRVOCIYQ6AiB
WtDfxIdIO4FV2fTyDTlk3jAx1SdwCe8ELmnjXd8wOzvWPDH4HbjLFu96oFcqjWsK
DB3psjBGTMzeVnAct46N7CZwLCFhziEaPyA+nBKdMCVQineVNxozT9h6fB5pykJ3
5AxlJa756fdi/zm5CDKDKWsTP/OeFllUA82rFeJX3ugjsBt+crKIToI1d8oDuglA
7aYVdvgiMKemutAaY4S4QTREdtbCtKjYgbKr0Ur9s88iKPVQ1IANawiUDLsSWT5n
aJw4LYHfurebFe+vOwez
=sz1Q
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
*Tadeusz Sacilowski*
*Manager, Portal Mobile Development*
Teachers College, Columbia University
sacilow...@tc.columbia.edu