Re: SSL connect to APR fails - bad version

2011-11-09 Thread André Warnier

Kobe,
nothing is wrong. It was just my lack of familiarity with the SSL client that was the 
cause of my puzzlement.  Konstantin's answer already cleared that up for me.


I was just wondering what you were trying to do, connecting to Tomcat with a command-line 
client, and you did not provide a lot of contextual information along with your question, 
to explain that.  Had you for example added a phrase like To check that the SSL 
connection is working, I am trying to connect to Tomcat's SSL Connector using the OpenSSL 
command-line client, and the answer I am getting is this : .., things would have been 
clearer, even for me.


You see, on the list we get all kinds of questions, from all kinds of people.
Sometimes posters here try to have Tomcat serve the morning coffee, and wonder why it 
doesn't work.  Sometimes they seem to think that this is the Apache httpd or Weblogic 
support list.


André


Kobe wrote:

Actually, whether it be webaccess or webservice access, i not follow
your confusion. pleas explain why this is wrong.

/Kobe

Kobe wrote:

Tomcat is also a servlet container and may be used to host web services.
That is the case here. the web service client is hosted in a BEA weblogic
server
and attempts to connect to the web service over SSL.

/Kobe


awarnier wrote:

Kobe wrote:

I build tcnative and apr from src with exist ver of openssl (means
openssl
not
build my me). I load apr connector in tomcat as below.

when my client connect, I cannot connect: i get bad version. 
please explain what I do wrong?



server# ./apr-1-config  --version
1.4.5
server#
server# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
server#



  /// APR Connector Configuration in Tomcat6
 Connector port=443
protocol=org.apache.coyote.http11.Http11AprProtocol
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
SSLCertificateFile=server_certificate.pem
SSLCertificateChainFile=cachain.pem
SSLCertificateKeyFile=server.key
  /




$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
CONNECTED(0003)
write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F))
 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d  
Z...V..N..-
0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f  
W.Uvu!|..7o
0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39  
.+h|e..,...9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f  
.8.5...3.2./
0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09  


0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..
005f - SPACES/NULS
read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5))
 - 48 54 54 50 2fHTTP/
write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7))
 - 15 03 00 00 02 02 28  ..(
44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
$ 


Hi.
I don't know if other members of this list will be as puzzled as I am,
but it is not clear 
to me what you are trying to achieve.

I mean that Tomcat is in principle a web server, normally answering web
browser requests 
(via HTTP or HTTPS).  What are you trying to do when you access it with
the above type of 
client, and what are you sending to Tomcat, and why ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org










-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-08 Thread Kobe

Tomcat is also a servlet container and may be used to host web services.
That is the case here. the web service client is hosted in a BEA weblogic
server
and attempts to connect to the web service over SSL.

/Kobe


awarnier wrote:
 
 Kobe wrote:
 I build tcnative and apr from src with exist ver of openssl (means
 openssl
 not
 build my me). I load apr connector in tomcat as below.
 
 when my client connect, I cannot connect: i get bad version. 
 please explain what I do wrong?
 
 
 server# ./apr-1-config  --version
 1.4.5
 server#
 server# openssl version
 OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 server#
 
 
 
   /// APR Connector Configuration in Tomcat6
  Connector port=443
 protocol=org.apache.coyote.http11.Http11AprProtocol
 enableLookups=false disableUploadTimeout=true
 acceptCount=100 scheme=https secure=true
 SSLCertificateFile=server_certificate.pem
 SSLCertificateChainFile=cachain.pem
 SSLCertificateKeyFile=server.key
   /
 
 
 
 
 $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
 CONNECTED(0003)
 write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F))
  - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d   Z...V..N..-
 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f   W.Uvu!|..7o
 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39   .+h|e..,...9
 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5...3.2./
 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09   
 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..
 005f - SPACES/NULS
 read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5))
  - 48 54 54 50 2fHTTP/
 write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7))
  - 15 03 00 00 02 02 28  ..(
 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
 number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
 $ 
 
 Hi.
 I don't know if other members of this list will be as puzzled as I am, but
 it is not clear 
 to me what you are trying to achieve.
 I mean that Tomcat is in principle a web server, normally answering web
 browser requests 
 (via HTTP or HTTPS).  What are you trying to do when you access it with
 the above type of 
 client, and what are you sending to Tomcat, and why ?
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805690.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-08 Thread Kobe

Actually, whether it be webaccess or webservice access, i not follow
your confusion. pleas explain why this is wrong.

/Kobe

Kobe wrote:
 
 Tomcat is also a servlet container and may be used to host web services.
 That is the case here. the web service client is hosted in a BEA weblogic
 server
 and attempts to connect to the web service over SSL.
 
 /Kobe
 
 
 awarnier wrote:
 
 Kobe wrote:
 I build tcnative and apr from src with exist ver of openssl (means
 openssl
 not
 build my me). I load apr connector in tomcat as below.
 
 when my client connect, I cannot connect: i get bad version. 
 please explain what I do wrong?
 
 
 server# ./apr-1-config  --version
 1.4.5
 server#
 server# openssl version
 OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 server#
 
 
 
   /// APR Connector Configuration in Tomcat6
  Connector port=443
 protocol=org.apache.coyote.http11.Http11AprProtocol
 enableLookups=false disableUploadTimeout=true
 acceptCount=100 scheme=https secure=true
 SSLCertificateFile=server_certificate.pem
 SSLCertificateChainFile=cachain.pem
 SSLCertificateKeyFile=server.key
   /
 
 
 
 
 $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
 CONNECTED(0003)
 write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F))
  - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d  
 Z...V..N..-
 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f  
 W.Uvu!|..7o
 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39  
 .+h|e..,...9
 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f  
 .8.5...3.2./
 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09  
 
 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..
 005f - SPACES/NULS
 read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5))
  - 48 54 54 50 2fHTTP/
 write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7))
  - 15 03 00 00 02 02 28  ..(
 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
 number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
 $ 
 
 Hi.
 I don't know if other members of this list will be as puzzled as I am,
 but it is not clear 
 to me what you are trying to achieve.
 I mean that Tomcat is in principle a web server, normally answering web
 browser requests 
 (via HTTP or HTTPS).  What are you trying to do when you access it with
 the above type of 
 client, and what are you sending to Tomcat, and why ?
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 
 

-- 
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805704.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-08 Thread Kobe

thank for your help. here is more info on my setup: tomcat version 6.0.29.
And tomcat is startin clean; no ererors while loading.

if I use tls1, I get same error as before (bad version).

when i test with openssl s_client, I check line 293 of s3_pkt.c. it say --


if ((version8) != SSL3_VERSION_MAJOR)
{
   
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
goto err;
}



so client is wanting ssl version 3. But i have same error with browser. i
donot/cannot find what
version browser wants - i Think it is 3.


Konstantin Kolinko wrote:
 
 2011/11/6 Kobe r...@mailcity.com:

 I build tcnative and apr from src with exist ver of openssl (means
 openssl
 not
 build my me). I load apr connector in tomcat as below.

 when my client connect, I cannot connect: i get bad version.
 please explain what I do wrong?


 server# ./apr-1-config  --version
 1.4.5
 server#
 server# openssl version
 OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 server#

  /// APR Connector Configuration in Tomcat6
  Connector port=443
    protocol=org.apache.coyote.http11.Http11AprProtocol
    enableLookups=false disableUploadTimeout=true
    acceptCount=100 scheme=https secure=true
    SSLCertificateFile=server_certificate.pem
    SSLCertificateChainFile=cachain.pem
    SSLCertificateKeyFile=server.key
  /


 $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
 
 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
 number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
 
 And what happens with
 $ openssl s_client -connect server.xxx.net:443 -debug -tls1
 ?
 
 What is on line 293 in s3_pkt.c in the version of openssl the client
 side of the connection is using?
 
 I quick guess that clientserver cannot negotiate protocol version.
 There are some options on Connector that might be used to configure
 protocols  ciphers that are supported.
 
 Note that
 - There were several security fixes in OpenSSL since that version that
 you are using.
 - You may try googling for your error message. It is mentioned a lot of
 times.
 - You are not mentioning what version of Tomcat x.y.z you are using.
 - There might be some messages in Tomcat log files. Does Tomcat start
 up cleanly?
 
 Re: Andre's question:
 That is openssl in command-line client mode, as a test whether it can
 connect to the server.
 
 Best regards,
 Konstantin Kolinko
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-08 Thread Kobe

many thanks again for your time and help.

Problem is: same openssl version working on another server
and successfuly setup SSLv3 connections with same client.
So I am thinking, there is misconfigure on this server. i would like
to find why this server respond with SSLv2 ClientHello instead of 
SSLv3 ClientHello.

how do i find this misconfigurn?

/Kobe


Marvin Addison wrote:
 
 The following works as expected on my config (6.0.26) using the
 default protocols and cipher suite as in your config:
 
 $ openssl s_client -connect eiger:443 -debug -ssl3
 CONNECTED(0003)
 ...
 
 Something in your SSL version jumped out at me:
 
 OpenSSL 0.9.8e-fips-rhel5
 
 Looks like you're running OpenSSL with the FIPS compliance features
 enabled, which may impose additional requirements on SSL negotiation.
 I can't provide any further insight, but hopefully it might point to
 an area for further investigation.
 
 M
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805994.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kobe,

On 11/8/11 2:01 PM, Kobe wrote:
 thank for your help. here is more info on my setup: tomcat version
 6.0.29. And tomcat is startin clean; no ererors while loading.
 
 if I use tls1, I get same error as before (bad version).
 
 when i test with openssl s_client, I check line 293 of s3_pkt.c. it
 say --
 
 
 if ((version8) != SSL3_VERSION_MAJOR) {
 
 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
 err; }
 
 
 
 so client is wanting ssl version 3. But i have same error with
 browser. i donot/cannot find what version browser wants - i Think
 it is 3.

Your web browser likely has SSL 2.0 disabled entirely. You should
check which types of SSL/TLS are enabled.

 So I am thinking, there is misconfigure on this server. i would
 like to find why this server respond with SSLv2 ClientHello instead
 of SSLv3 ClientHello.

Why do you think you are getting an SSLv2 reply?

 how do i find this misconfigurn?

Are you using the same version of openssl as the client as you are
using withing Tomcat? I wonder if the FIPS mode is tripping you up.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
tZQAnial2UmsG5FSBSkSclenImxf5YR+
=vgDW
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-08 Thread Kobe

thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:


 // from ${CATALINA_HOME}/bin/setenv.sh:
 export JAVA_OPTS=... -Djavax.net.debug=ssl
 //...

   # sh ${CATALINA_HOME}/bin/startup.sh

   // from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3

   // from ${CATALINA_HOME}/logs/catalina.out
   ...
   sending SSLv2 ClientHello      server issues only SSLv2
ClientHello


But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.

many tahnks.

/Kobe


Christopher Schultz-2 wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Kobe,
 
 On 11/8/11 2:01 PM, Kobe wrote:
 thank for your help. here is more info on my setup: tomcat version
 6.0.29. And tomcat is startin clean; no ererors while loading.
 
 if I use tls1, I get same error as before (bad version).
 
 when i test with openssl s_client, I check line 293 of s3_pkt.c. it
 say --
 
 
 if ((version8) != SSL3_VERSION_MAJOR) {
 
 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
 err; }
 
 
 
 so client is wanting ssl version 3. But i have same error with
 browser. i donot/cannot find what version browser wants - i Think
 it is 3.
 
 Your web browser likely has SSL 2.0 disabled entirely. You should
 check which types of SSL/TLS are enabled.
 
 So I am thinking, there is misconfigure on this server. i would
 like to find why this server respond with SSLv2 ClientHello instead
 of SSLv3 ClientHello.
 
 Why do you think you are getting an SSLv2 reply?
 
 how do i find this misconfigurn?
 
 Are you using the same version of openssl as the client as you are
 using withing Tomcat? I wonder if the FIPS mode is tripping you up.
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
 tZQAnial2UmsG5FSBSkSclenImxf5YR+
 =vgDW
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: SSL connect to APR fails - bad version

2011-11-08 Thread Adamus, Steven J.
Hi Kobe; 
 
I can see why it looks like the server is sending the message, but I think 
there's some reference that's being missed.  The SSL debug should show Client 
messages and Server messages. 
 
One thing that's certain, the SSLv2 ClientHello is a client message sent by the 
client.  This message is never sent by the server. 
 
On a separate note, the APR is very strict about enforcing TLSv1.  When it's 
configured for TLSv1, it immediately terminates the connection if it receives 
any SSLv2 ClientHello or SSLv3 Client Hello.  If you have a server with an 
active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of 
SSLProtocol is all' (default), SSLv2, SSLv3, or SSLv2+SSLv3. 
 
Regards, 
Steve



From: users-return-229208-STEVEN.J.ADAMUS=saic@tomcat.apache.org on behalf 
of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - bad version




thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:


 // from ${CATALINA_HOME}/bin/setenv.sh:
 export JAVA_OPTS=... -Djavax.net.debug=ssl
 //...

   # sh ${CATALINA_HOME}/bin/startup.sh

   // from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3

   // from ${CATALINA_HOME}/logs/catalina.out
   ...
   sending SSLv2 ClientHello      server issues only SSLv2
ClientHello


But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.

many tahnks.

/Kobe


Christopher Schultz-2 wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Kobe,

 On 11/8/11 2:01 PM, Kobe wrote:
 thank for your help. here is more info on my setup: tomcat version
 6.0.29. And tomcat is startin clean; no ererors while loading.

 if I use tls1, I get same error as before (bad version).

 when i test with openssl s_client, I check line 293 of s3_pkt.c. it
 say --


 if ((version8) != SSL3_VERSION_MAJOR) {

 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
 err; }



 so client is wanting ssl version 3. But i have same error with
 browser. i donot/cannot find what version browser wants - i Think
 it is 3.

 Your web browser likely has SSL 2.0 disabled entirely. You should
 check which types of SSL/TLS are enabled.

 So I am thinking, there is misconfigure on this server. i would
 like to find why this server respond with SSLv2 ClientHello instead
 of SSLv3 ClientHello.

 Why do you think you are getting an SSLv2 reply?

 how do i find this misconfigurn?

 Are you using the same version of openssl as the client as you are
 using withing Tomcat? I wonder if the FIPS mode is tripping you up.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org http://gpgtools.org/ 
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
 tZQAnial2UmsG5FSBSkSclenImxf5YR+
 =vgDW
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




--
View this message in context: 
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





Re: SSL connect to APR fails - bad version

2011-11-07 Thread Marvin Addison
The following works as expected on my config (6.0.26) using the
default protocols and cipher suite as in your config:

$ openssl s_client -connect eiger:443 -debug -ssl3
CONNECTED(0003)
...

Something in your SSL version jumped out at me:

OpenSSL 0.9.8e-fips-rhel5

Looks like you're running OpenSSL with the FIPS compliance features
enabled, which may impose additional requirements on SSL negotiation.
I can't provide any further insight, but hopefully it might point to
an area for further investigation.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-06 Thread André Warnier

Kobe wrote:

I build tcnative and apr from src with exist ver of openssl (means openssl
not
build my me). I load apr connector in tomcat as below.

when my client connect, I cannot connect: i get bad version. 
please explain what I do wrong?



server# ./apr-1-config  --version
1.4.5
server#
server# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
server#



  /// APR Connector Configuration in Tomcat6
 Connector port=443
protocol=org.apache.coyote.http11.Http11AprProtocol
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
SSLCertificateFile=server_certificate.pem
SSLCertificateChainFile=cachain.pem
SSLCertificateKeyFile=server.key
  /




$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
CONNECTED(0003)
write to 0x100119470 [0x100815e00] (95 bytes = 95 (0x5F))
 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d   Z...V..N..-
0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f   W.Uvu!|..7o
0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39   .+h|e..,...9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5...3.2./
0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09   
0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..
005f - SPACES/NULS
read from 0x100119470 [0x100811400] (5 bytes = 5 (0x5))
 - 48 54 54 50 2fHTTP/
write to 0x100119470 [0x10081b800] (7 bytes = 7 (0x7))
 - 15 03 00 00 02 02 28  ..(
44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
$ 


Hi.
I don't know if other members of this list will be as puzzled as I am, but it is not clear 
to me what you are trying to achieve.
I mean that Tomcat is in principle a web server, normally answering web browser requests 
(via HTTP or HTTPS).  What are you trying to do when you access it with the above type of 
client, and what are you sending to Tomcat, and why ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL connect to APR fails - bad version

2011-11-06 Thread Konstantin Kolinko
2011/11/6 Kobe r...@mailcity.com:

 I build tcnative and apr from src with exist ver of openssl (means openssl
 not
 build my me). I load apr connector in tomcat as below.

 when my client connect, I cannot connect: i get bad version.
 please explain what I do wrong?


 server# ./apr-1-config  --version
 1.4.5
 server#
 server# openssl version
 OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 server#

  /// APR Connector Configuration in Tomcat6
  Connector port=443
    protocol=org.apache.coyote.http11.Http11AprProtocol
    enableLookups=false disableUploadTimeout=true
    acceptCount=100 scheme=https secure=true
    SSLCertificateFile=server_certificate.pem
    SSLCertificateChainFile=cachain.pem
    SSLCertificateKeyFile=server.key
  /


 $ openssl s_client -connect server.xxx.net:443 -debug -ssl3

 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
 number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:

And what happens with
$ openssl s_client -connect server.xxx.net:443 -debug -tls1
?

What is on line 293 in s3_pkt.c in the version of openssl the client
side of the connection is using?

I quick guess that clientserver cannot negotiate protocol version.
There are some options on Connector that might be used to configure
protocols  ciphers that are supported.

Note that
- There were several security fixes in OpenSSL since that version that
you are using.
- You may try googling for your error message. It is mentioned a lot of times.
- You are not mentioning what version of Tomcat x.y.z you are using.
- There might be some messages in Tomcat log files. Does Tomcat start
up cleanly?

Re: Andre's question:
That is openssl in command-line client mode, as a test whether it can
connect to the server.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org