Hello, I'm in the process of upgrading our Tomcat servers to Tomcat 7 (7.0.57). I'm also trying to use the APR connector (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM 10.2.1) that uses an HTTP health monitor to mark nodes up/down.
Prior to updating to the APR connector, I was using NIO, with SSLv3 disabled, and the health monitor worked properly: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" The SSLv2Hello is necessary, as the F5 health monitor uses this and there's apparently no way to force TLS with the version that we're on (when I don't explicitly include it, the health monitor fails). There are also possibly some legacy applications that would be using the pseudo-protocol as well. When trying to use the APR connector (with SSLv3 being disabled), the health monitor fails to connect. Some troubleshooting with OpenSSL (0.9.8x) indicated that I need to force a connection with "-tls1" in order for it to connect (see my post at stackoverflow: http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 ). I'm assuming the issue is because SSLv2Hello is disabled with the APR connector... is there any way to explicitly enable is, as I do in the NIO connector? Thank you! -- *Tadeusz Sacilowski* *Manager, Portal & Mobile Development* Teachers College, Columbia University sacilow...@tc.columbia.edu
