Re: SSL connect to APR fails - bad version
Kobe, nothing is wrong. It was just my lack of familiarity with the SSL client that was the cause of my puzzlement. Konstantin's answer already cleared that up for me. I was just wondering what you were trying to do, connecting to Tomcat with a command-line client, and you did not provide a lot of contextual information along with your question, to explain that. Had you for example added a phrase like To check that the SSL connection is working, I am trying to connect to Tomcat's SSL Connector using the OpenSSL command-line client, and the answer I am getting is this : .., things would have been clearer, even for me. You see, on the list we get all kinds of questions, from all kinds of people. Sometimes posters here try to have Tomcat serve the morning coffee, and wonder why it doesn't work. Sometimes they seem to think that this is the Apache httpd or Weblogic support list. André Kobe wrote: Actually, whether it be webaccess or webservice access, i not follow your confusion. pleas explain why this is wrong. /Kobe Kobe wrote: Tomcat is also a servlet container and may be used to host web services. That is the case here. the web service client is hosted in a BEA weblogic server and attempts to connect to the web service over SSL. /Kobe awarnier wrote: Kobe wrote: I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get bad version. please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLCertificateFile=server_certificate.pem SSLCertificateChainFile=cachain.pem SSLCertificateKeyFile=server.key / $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 CONNECTED(0003) write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F)) - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..- 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W.Uvu!|..7o 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. 005f - SPACES/NULS read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5)) - 48 54 54 50 2fHTTP/ write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7)) - 15 03 00 00 02 02 28 ..( 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: $ Hi. I don't know if other members of this list will be as puzzled as I am, but it is not clear to me what you are trying to achieve. I mean that Tomcat is in principle a web server, normally answering web browser requests (via HTTP or HTTPS). What are you trying to do when you access it with the above type of client, and what are you sending to Tomcat, and why ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
Tomcat is also a servlet container and may be used to host web services. That is the case here. the web service client is hosted in a BEA weblogic server and attempts to connect to the web service over SSL. /Kobe awarnier wrote: Kobe wrote: I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get bad version. please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLCertificateFile=server_certificate.pem SSLCertificateChainFile=cachain.pem SSLCertificateKeyFile=server.key / $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 CONNECTED(0003) write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F)) - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..- 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W.Uvu!|..7o 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. 005f - SPACES/NULS read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5)) - 48 54 54 50 2fHTTP/ write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7)) - 15 03 00 00 02 02 28 ..( 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: $ Hi. I don't know if other members of this list will be as puzzled as I am, but it is not clear to me what you are trying to achieve. I mean that Tomcat is in principle a web server, normally answering web browser requests (via HTTP or HTTPS). What are you trying to do when you access it with the above type of client, and what are you sending to Tomcat, and why ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805690.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
Actually, whether it be webaccess or webservice access, i not follow your confusion. pleas explain why this is wrong. /Kobe Kobe wrote: Tomcat is also a servlet container and may be used to host web services. That is the case here. the web service client is hosted in a BEA weblogic server and attempts to connect to the web service over SSL. /Kobe awarnier wrote: Kobe wrote: I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get bad version. please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLCertificateFile=server_certificate.pem SSLCertificateChainFile=cachain.pem SSLCertificateKeyFile=server.key / $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 CONNECTED(0003) write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F)) - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..- 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W.Uvu!|..7o 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. 005f - SPACES/NULS read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5)) - 48 54 54 50 2fHTTP/ write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7)) - 15 03 00 00 02 02 28 ..( 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: $ Hi. I don't know if other members of this list will be as puzzled as I am, but it is not clear to me what you are trying to achieve. I mean that Tomcat is in principle a web server, normally answering web browser requests (via HTTP or HTTPS). What are you trying to do when you access it with the above type of client, and what are you sending to Tomcat, and why ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805704.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
thank for your help. here is more info on my setup: tomcat version 6.0.29.
And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before (bad version).
when i test with openssl s_client, I check line 293 of s3_pkt.c. it say --
if ((version8) != SSL3_VERSION_MAJOR)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
goto err;
}
so client is wanting ssl version 3. But i have same error with browser. i
donot/cannot find what
version browser wants - i Think it is 3.
Konstantin Kolinko wrote:
2011/11/6 Kobe r...@mailcity.com:
I build tcnative and apr from src with exist ver of openssl (means
openssl
not
build my me). I load apr connector in tomcat as below.
when my client connect, I cannot connect: i get bad version.
please explain what I do wrong?
server# ./apr-1-config --version
1.4.5
server#
server# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
server#
/// APR Connector Configuration in Tomcat6
Connector port=443
protocol=org.apache.coyote.http11.Http11AprProtocol
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
SSLCertificateFile=server_certificate.pem
SSLCertificateChainFile=cachain.pem
SSLCertificateKeyFile=server.key
/
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
And what happens with
$ openssl s_client -connect server.xxx.net:443 -debug -tls1
?
What is on line 293 in s3_pkt.c in the version of openssl the client
side of the connection is using?
I quick guess that clientserver cannot negotiate protocol version.
There are some options on Connector that might be used to configure
protocols ciphers that are supported.
Note that
- There were several security fixes in OpenSSL since that version that
you are using.
- You may try googling for your error message. It is mentioned a lot of
times.
- You are not mentioning what version of Tomcat x.y.z you are using.
- There might be some messages in Tomcat log files. Does Tomcat start
up cleanly?
Re: Andre's question:
That is openssl in command-line client mode, as a test whether it can
connect to the server.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
many thanks again for your time and help. Problem is: same openssl version working on another server and successfuly setup SSLv3 connections with same client. So I am thinking, there is misconfigure on this server. i would like to find why this server respond with SSLv2 ClientHello instead of SSLv3 ClientHello. how do i find this misconfigurn? /Kobe Marvin Addison wrote: The following works as expected on my config (6.0.26) using the default protocols and cipher suite as in your config: $ openssl s_client -connect eiger:443 -debug -ssl3 CONNECTED(0003) ... Something in your SSL version jumped out at me: OpenSSL 0.9.8e-fips-rhel5 Looks like you're running OpenSSL with the FIPS compliance features enabled, which may impose additional requirements on SSL negotiation. I can't provide any further insight, but hopefully it might point to an area for further investigation. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805994.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kobe,
On 11/8/11 2:01 PM, Kobe wrote:
thank for your help. here is more info on my setup: tomcat version
6.0.29. And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before (bad version).
when i test with openssl s_client, I check line 293 of s3_pkt.c. it
say --
if ((version8) != SSL3_VERSION_MAJOR) {
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
err; }
so client is wanting ssl version 3. But i have same error with
browser. i donot/cannot find what version browser wants - i Think
it is 3.
Your web browser likely has SSL 2.0 disabled entirely. You should
check which types of SSL/TLS are enabled.
So I am thinking, there is misconfigure on this server. i would
like to find why this server respond with SSLv2 ClientHello instead
of SSLv3 ClientHello.
Why do you think you are getting an SSLv2 reply?
how do i find this misconfigurn?
Are you using the same version of openssl as the client as you are
using withing Tomcat? I wonder if the FIPS mode is tripping you up.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
tZQAnial2UmsG5FSBSkSclenImxf5YR+
=vgDW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS=... -Djavax.net.debug=ssl
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kobe,
On 11/8/11 2:01 PM, Kobe wrote:
thank for your help. here is more info on my setup: tomcat version
6.0.29. And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before (bad version).
when i test with openssl s_client, I check line 293 of s3_pkt.c. it
say --
if ((version8) != SSL3_VERSION_MAJOR) {
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
err; }
so client is wanting ssl version 3. But i have same error with
browser. i donot/cannot find what version browser wants - i Think
it is 3.
Your web browser likely has SSL 2.0 disabled entirely. You should
check which types of SSL/TLS are enabled.
So I am thinking, there is misconfigure on this server. i would
like to find why this server respond with SSLv2 ClientHello instead
of SSLv3 ClientHello.
Why do you think you are getting an SSLv2 reply?
how do i find this misconfigurn?
Are you using the same version of openssl as the client as you are
using withing Tomcat? I wonder if the FIPS mode is tripping you up.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
tZQAnial2UmsG5FSBSkSclenImxf5YR+
=vgDW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL connect to APR fails - bad version
Hi Kobe;
I can see why it looks like the server is sending the message, but I think
there's some reference that's being missed. The SSL debug should show Client
messages and Server messages.
One thing that's certain, the SSLv2 ClientHello is a client message sent by the
client. This message is never sent by the server.
On a separate note, the APR is very strict about enforcing TLSv1. When it's
configured for TLSv1, it immediately terminates the connection if it receives
any SSLv2 ClientHello or SSLv3 Client Hello. If you have a server with an
active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of
SSLProtocol is all' (default), SSLv2, SSLv3, or SSLv2+SSLv3.
Regards,
Steve
From: users-return-229208-STEVEN.J.ADAMUS=saic@tomcat.apache.org on behalf
of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - bad version
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS=... -Djavax.net.debug=ssl
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kobe,
On 11/8/11 2:01 PM, Kobe wrote:
thank for your help. here is more info on my setup: tomcat version
6.0.29. And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before (bad version).
when i test with openssl s_client, I check line 293 of s3_pkt.c. it
say --
if ((version8) != SSL3_VERSION_MAJOR) {
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
err; }
so client is wanting ssl version 3. But i have same error with
browser. i donot/cannot find what version browser wants - i Think
it is 3.
Your web browser likely has SSL 2.0 disabled entirely. You should
check which types of SSL/TLS are enabled.
So I am thinking, there is misconfigure on this server. i would
like to find why this server respond with SSLv2 ClientHello instead
of SSLv3 ClientHello.
Why do you think you are getting an SSLv2 reply?
how do i find this misconfigurn?
Are you using the same version of openssl as the client as you are
using withing Tomcat? I wonder if the FIPS mode is tripping you up.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org http://gpgtools.org/
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
tZQAnial2UmsG5FSBSkSclenImxf5YR+
=vgDW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
The following works as expected on my config (6.0.26) using the default protocols and cipher suite as in your config: $ openssl s_client -connect eiger:443 -debug -ssl3 CONNECTED(0003) ... Something in your SSL version jumped out at me: OpenSSL 0.9.8e-fips-rhel5 Looks like you're running OpenSSL with the FIPS compliance features enabled, which may impose additional requirements on SSL negotiation. I can't provide any further insight, but hopefully it might point to an area for further investigation. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
Kobe wrote: I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get bad version. please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLCertificateFile=server_certificate.pem SSLCertificateChainFile=cachain.pem SSLCertificateKeyFile=server.key / $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 CONNECTED(0003) write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F)) - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..- 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W.Uvu!|..7o 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. 005f - SPACES/NULS read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5)) - 48 54 54 50 2fHTTP/ write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7)) - 15 03 00 00 02 02 28 ..( 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: $ Hi. I don't know if other members of this list will be as puzzled as I am, but it is not clear to me what you are trying to achieve. I mean that Tomcat is in principle a web server, normally answering web browser requests (via HTTP or HTTPS). What are you trying to do when you access it with the above type of client, and what are you sending to Tomcat, and why ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
2011/11/6 Kobe r...@mailcity.com: I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get bad version. please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLCertificateFile=server_certificate.pem SSLCertificateChainFile=cachain.pem SSLCertificateKeyFile=server.key / $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: And what happens with $ openssl s_client -connect server.xxx.net:443 -debug -tls1 ? What is on line 293 in s3_pkt.c in the version of openssl the client side of the connection is using? I quick guess that clientserver cannot negotiate protocol version. There are some options on Connector that might be used to configure protocols ciphers that are supported. Note that - There were several security fixes in OpenSSL since that version that you are using. - You may try googling for your error message. It is mentioned a lot of times. - You are not mentioning what version of Tomcat x.y.z you are using. - There might be some messages in Tomcat log files. Does Tomcat start up cleanly? Re: Andre's question: That is openssl in command-line client mode, as a test whether it can connect to the server. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL connect to APR fails - bad version
I build tcnative and apr from src with exist ver of openssl (means openssl not build my me). I load apr connector in tomcat as below. when my client connect, I cannot connect: i get bad version. please explain what I do wrong? server# ./apr-1-config --version 1.4.5 server# server# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 server# /// APR Connector Configuration in Tomcat6 Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLCertificateFile=server_certificate.pem SSLCertificateChainFile=cachain.pem SSLCertificateKeyFile=server.key / $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 CONNECTED(0003) write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F)) - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..- 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W.Uvu!|..7o 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. 005f - SPACES/NULS read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5)) - 48 54 54 50 2fHTTP/ write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7)) - 15 03 00 00 02 02 28 ..( 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: $ thank you. Kobe -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32788669.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
