-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen,
On 10/10/13 5:23 PM, Ognjen Blagojevic wrote: > Chris, > > On 10.10.2013 19:11, Christopher Schultz wrote: >> Also, Chirag has the connector supporting only "TLS", so SSLv2 >> HELLO should indeally fail entirely. > > Setting attribute sslProtocol="TLS" may actually enable all > protocols from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting > something like sslProtocol="TLSv1.1" would enable the same group of > protocols. Tomcat docs clearly warns about that behavior (HTTP > connector): > > "sslProtocol - The the SSL protocol(s) to use (a single value may > enable multiple protocols - see the JVM documentation for > details)." > > >> If you really only want to use TLS but support SSLv2 HELLOs, it's >> not entirely clear to me what setting you want here >> (sslEnabledProtocols), with sslProtocol, etc. I suspect what you >> want is this: >> >> sslProtocol="TLS" sslEnabledProtocols="TLS, SSLv2Hello" >> >> Chirag, give that a try and see if your problems are solved. > > That is not valid configuration. TLS is not legal value for > attribute sslEnabledProtocols, and it will be ignored. SSLv2Hello > is not legal without any other secure protocol so JSSE will throw > an exception. Something like > > sslProtocol="TLS" > sslEnabledProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" > > would be valid config for what you propose. Thanks for clearing that up. I've never used JSSE for SSL so I haven't been through the ringer. > It would also help to track down the cause of the problem, if > Chirag sends handshake logs of failing and successful handshake. > > Also, a bit of a brainstorming now: could this whole thing be IP > protocol issue? I've seen similar behavior before, albeit not in > context of SSL handshake: client tries to connect using IPv6 > address, but firewall doesn't allow it, so client falls back to > IPv4 and successfully connects. I would expect that to happen during a single run of the client. Plus, Chirag indicated that he can see the connection occur, then fail. So it's not a firewall, IPv4/6 issue. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSWCD1AAoJEBzwKT+lPKRYvg0QAMMP8pQKsa+3T6U6stUYYviB rOn4yBMaiCheHJJKxyRHeC0xwdbV2rahwG05UBKpm9RgufXmMWXBzS1ZQquFlLD/ wrqIF/gZvnxmno4w7xamq/nfxdnsj92iKlgxCIJSY9BPM9kaZBTC3tS0cKn3PBRT +Cdnrsj8vhRZhqNCZA10Zn45RGtm5jzZY6U0P1K/9YW9qUDe+2GKiBBU+swoKGXy sHaIC8cnHkxHW+W/sr1B7pr4md5s8IeYRIPMbAgJTRW92XZhIUd9BCMUsVgGqGtc /cCpDsVNVfRhYrbLvIqyIISZClxZK7eA1dQwkZpWhMOFGqriibsni9TypB5Gnt/U VS+SziZzIWGmLndrnIeHVhNPTVHQtgqw2MGUQNR1yjAIDJfWwvOc7AkDB1/BjwPc j15m5pOwEnnA25P7tkjDjJyNrIbTz4RCDmT3A9gk4efLzsBVZ8t9LfObmvDAmAHL gKo1zgKJJvBAQyi+BwRMPLWvyyTc6SqTcz9RXpR5PtQNMmcypzFpDKGo81WYb/1j qPYYZyLYK14kk5qdwjgTXkwOcTp2zOy0iGc+binLfAJQvtxTLhQ/S3KSG/1e6LOT zB52LgTaC1ipbvprxBO4FhVVeuBU/rgnvbrWcN6iNkyAaCBq2zdpffiAdyP8uOnY 6y0vLA1ZKmmZkcAXMXNx =dgx+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org