Re: Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
I was using SSLProtocol=TLSv1 explicitly. However, when I switched to all the health monitor kicked back in. Interestingly though, I decided to switch it back to my original APR configuration (the one that was giving me issues with the health monitor in the first place) and the monitor continued to work. Not sure why it's working now but I'm leaving my APR connector with SSLProtocol=all since that's what seemed to resolve my issue. Thanks! On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tadeusz, On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote: I'm in the process of upgrading our Tomcat servers to Tomcat 7 (7.0.57). I'm also trying to use the APR connector (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM 10.2.1) that uses an HTTP health monitor to mark nodes up/down. Prior to updating to the APR connector, I was using NIO, with SSLv3 disabled, and the health monitor worked properly: sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello The SSLv2Hello is necessary, as the F5 health monitor uses this and there's apparently no way to force TLS with the version that we're on (when I don't explicitly include it, the health monitor fails). There are also possibly some legacy applications that would be using the pseudo-protocol as well. When trying to use the APR connector (with SSLv3 being disabled), the health monitor fails to connect. Some troubleshooting with OpenSSL (0.9.8x) indicated that I need to force a connection with -tls1 in order for it to connect (see my post at stackoverflow: http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 ). I'm assuming the issue is because SSLv2Hello is disabled with the APR connector... is there any way to explicitly enable is, as I do in the NIO connector? What does your APR connector configuration look like? From your SO post it looks like you have TLSv1 only. What if you try all (the default)? This will include only TLS protocols when using Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it looks like OpenSSL might use SSLv2hello when there is more than one protocol supported. Your other option is to simply re-enable SSLv3 on the Tomcat server and use your firewall to prevent anyone from connecting except for your load-balancer (which, presumably, you trust). SSLv3 is only risky when you don't trust your clients. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUihRjAAoJEBzwKT+lPKRYPXgP+wXY1FshX5CbS7MREsSCXW3L JijWrldOTzN/jWEmmMOKEmJ1ff3SXjUPR2z5o5lTT5fGRBb190f4hOxWLqJke48d 1GJTmufQfYBGHZ/Bp43G/3WqwtsvqqznOUWzajcN/Vt+HWMbmRT3u5V/ApTAC+I/ uhzSjj07QvfU27pK/fFzgMZsN9InPoV5uibnUUhabu+6xtkk4gLYxi2LKRJjlM0j HX7SQ0cnqpOxjqMDmQLVyaMLDI80e1XYGdtkEDnYYQQApe7eHHIyk9QrrEoNufpJ VMuX/A7sX1f/kHvUQSey16YTBW/ujPFCjGG/j7Te32f4sHTE5eB1RdTdqpinlu5g +2Ltm0t8tuczHsqogFB4+5M78jNcNCKBr3Gpq1CpxUdib3gmsTg9PRVOCIYQ6AiB WtDfxIdIO4FV2fTyDTlk3jAx1SdwCe8ELmnjXd8wOzvWPDH4HbjLFu96oFcqjWsK DB3psjBGTMzeVnAct46N7CZwLCFhziEaPyA+nBKdMCVQineVNxozT9h6fB5pykJ3 5AxlJa756fdi/zm5CDKDKWsTP/OeFllUA82rFeJX3ugjsBt+crKIToI1d8oDuglA 7aYVdvgiMKemutAaY4S4QTREdtbCtKjYgbKr0Ur9s88iKPVQ1IANawiUDLsSWT5n aJw4LYHfurebFe+vOwez =sz1Q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *Tadeusz Sacilowski* *Manager, Portal Mobile Development* Teachers College, Columbia University sacilow...@tc.columbia.edu
Re: Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tadeusz, On 12/12/14 1:09 PM, Sacilowski, Tadeusz wrote: I was using SSLProtocol=TLSv1 explicitly. However, when I switched to all the health monitor kicked back in. Interestingly though, I decided to switch it back to my original APR configuration (the one that was giving me issues with the health monitor in the first place) and the monitor continued to work. Not sure why it's working now but I'm leaving my APR connector with SSLProtocol=all since that's what seemed to resolve my issue. Assuming that you have OpenSSL 1.0+, you'll want to be able to support TLSv1, TLSv1.1, and TLSv1.2, though I suppose if it's just for communication between your load-balancer and your Tomcat nodes, it's probably not critical that you be able to support the very latest in TLS protocol. Good luck, - -chris On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz ch...@christopherschultz.net wrote: Tadeusz, On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote: I'm in the process of upgrading our Tomcat servers to Tomcat 7 (7.0.57). I'm also trying to use the APR connector (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM 10.2.1) that uses an HTTP health monitor to mark nodes up/down. Prior to updating to the APR connector, I was using NIO, with SSLv3 disabled, and the health monitor worked properly: sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello The SSLv2Hello is necessary, as the F5 health monitor uses this and there's apparently no way to force TLS with the version that we're on (when I don't explicitly include it, the health monitor fails). There are also possibly some legacy applications that would be using the pseudo-protocol as well. When trying to use the APR connector (with SSLv3 being disabled), the health monitor fails to connect. Some troubleshooting with OpenSSL (0.9.8x) indicated that I need to force a connection with -tls1 in order for it to connect (see my post at stackoverflow: http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 ). I'm assuming the issue is because SSLv2Hello is disabled with the APR connector... is there any way to explicitly enable is, as I do in the NIO connector? What does your APR connector configuration look like? From your SO post it looks like you have TLSv1 only. What if you try all (the default)? This will include only TLS protocols when using Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it looks like OpenSSL might use SSLv2hello when there is more than one protocol supported. Your other option is to simply re-enable SSLv3 on the Tomcat server and use your firewall to prevent anyone from connecting except for your load-balancer (which, presumably, you trust). SSLv3 is only risky when you don't trust your clients. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUi0IVAAoJEBzwKT+lPKRYw0YP/RT4OS7qTq0W3inkfem8ELyU XIkUrmSpiK4EbSmEskXXH6I9bJUkj8momfMbsEVBncKPMHD2FT98+Atw/tQfKGtN QmzDsqgSdcY5L2XaZ5XHRHql3/QliTQRG5ykfc0cdE+YErtGcuehkgcr52cowXTc hrqnHMJshXP8DPwkJA4HV6FUsO3icL22z+XBvqc8LCnoHNWBH5DIpV62Pn5XlSO3 lyrluagPMcEtWaEUNsc05oNtOYIYSO6Ll8KLjO/QNKty9o0TcP8v1cLaFMakWwS1 +ok8C2huaisHM4byg3o1WU9Qh21kUz/BoNu48l61nv7H4pDfeBDSxkIfglX5co53 QvxTIRpShn0N4S+lxtGfx5qydbsawE8OfyZIgNTeyHWw4Kahi1sy6NqdEwq63sZJ 2tejSyBNR08n9VCkX29zeks/zm+1TPM5KCssRqxyWHqDznRUfySUrB2oKlGVNKnn FMaqHTJVaY6SwuGB0CiOBECEFT010XggBY7XgJ3Un/98yR/IV0OgsLSz7VYGAKob wfsPnBNaBXyXlHCumEq1M4MhOv/3M3LVtw+z6PNJ/+dCOW+19PQGddXpHhpPowvL XwATOrPxRhE+lFrbccteqatDH/rpJomtRT5xHruJnEtXUL2H+ZaHljrWhwk3VryL kqrm5Onk60QFsAvmg6td =6SEw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
Hello, I'm in the process of upgrading our Tomcat servers to Tomcat 7 (7.0.57). I'm also trying to use the APR connector (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM 10.2.1) that uses an HTTP health monitor to mark nodes up/down. Prior to updating to the APR connector, I was using NIO, with SSLv3 disabled, and the health monitor worked properly: sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello The SSLv2Hello is necessary, as the F5 health monitor uses this and there's apparently no way to force TLS with the version that we're on (when I don't explicitly include it, the health monitor fails). There are also possibly some legacy applications that would be using the pseudo-protocol as well. When trying to use the APR connector (with SSLv3 being disabled), the health monitor fails to connect. Some troubleshooting with OpenSSL (0.9.8x) indicated that I need to force a connection with -tls1 in order for it to connect (see my post at stackoverflow: http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 ). I'm assuming the issue is because SSLv2Hello is disabled with the APR connector... is there any way to explicitly enable is, as I do in the NIO connector? Thank you! -- *Tadeusz Sacilowski* *Manager, Portal Mobile Development* Teachers College, Columbia University sacilow...@tc.columbia.edu
Re: Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tadeusz, On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote: I'm in the process of upgrading our Tomcat servers to Tomcat 7 (7.0.57). I'm also trying to use the APR connector (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM 10.2.1) that uses an HTTP health monitor to mark nodes up/down. Prior to updating to the APR connector, I was using NIO, with SSLv3 disabled, and the health monitor worked properly: sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello The SSLv2Hello is necessary, as the F5 health monitor uses this and there's apparently no way to force TLS with the version that we're on (when I don't explicitly include it, the health monitor fails). There are also possibly some legacy applications that would be using the pseudo-protocol as well. When trying to use the APR connector (with SSLv3 being disabled), the health monitor fails to connect. Some troubleshooting with OpenSSL (0.9.8x) indicated that I need to force a connection with -tls1 in order for it to connect (see my post at stackoverflow: http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 ). I'm assuming the issue is because SSLv2Hello is disabled with the APR connector... is there any way to explicitly enable is, as I do in the NIO connector? What does your APR connector configuration look like? From your SO post it looks like you have TLSv1 only. What if you try all (the default)? This will include only TLS protocols when using Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it looks like OpenSSL might use SSLv2hello when there is more than one protocol supported. Your other option is to simply re-enable SSLv3 on the Tomcat server and use your firewall to prevent anyone from connecting except for your load-balancer (which, presumably, you trust). SSLv3 is only risky when you don't trust your clients. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUihRjAAoJEBzwKT+lPKRYPXgP+wXY1FshX5CbS7MREsSCXW3L JijWrldOTzN/jWEmmMOKEmJ1ff3SXjUPR2z5o5lTT5fGRBb190f4hOxWLqJke48d 1GJTmufQfYBGHZ/Bp43G/3WqwtsvqqznOUWzajcN/Vt+HWMbmRT3u5V/ApTAC+I/ uhzSjj07QvfU27pK/fFzgMZsN9InPoV5uibnUUhabu+6xtkk4gLYxi2LKRJjlM0j HX7SQ0cnqpOxjqMDmQLVyaMLDI80e1XYGdtkEDnYYQQApe7eHHIyk9QrrEoNufpJ VMuX/A7sX1f/kHvUQSey16YTBW/ujPFCjGG/j7Te32f4sHTE5eB1RdTdqpinlu5g +2Ltm0t8tuczHsqogFB4+5M78jNcNCKBr3Gpq1CpxUdib3gmsTg9PRVOCIYQ6AiB WtDfxIdIO4FV2fTyDTlk3jAx1SdwCe8ELmnjXd8wOzvWPDH4HbjLFu96oFcqjWsK DB3psjBGTMzeVnAct46N7CZwLCFhziEaPyA+nBKdMCVQineVNxozT9h6fB5pykJ3 5AxlJa756fdi/zm5CDKDKWsTP/OeFllUA82rFeJX3ugjsBt+crKIToI1d8oDuglA 7aYVdvgiMKemutAaY4S4QTREdtbCtKjYgbKr0Ur9s88iKPVQ1IANawiUDLsSWT5n aJw4LYHfurebFe+vOwez =sz1Q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org