Aurlien, Try the dropbox location in my prev messages. It contains a sample echo server you can use to test. It is a Visual Studio 2013 project. In case you don’t have that, I've uploaded x64 executables under SSLServer_executbale.zip. It is pretty much self contained, it has the redist DLLs, the server cert, all...
It eliminates the need of IIS as it does the same thing - accept connection, read payload, upgrade to 2 way ssl... It generates output like this [1] The line " Decrypt error from SCHANNEL, Client ID: a1cefeb8-bad3-4903-8dbe-fdea347f666e" is emitted when bad record mac is caught on the server side... George [1] Read: 1093 bytes from 192.168.2.164:41525 Read: 165 bytes from 192.168.2.164:41525 Read: 90 bytes from 192.168.2.164:41525 Decrypt error from SCHANNEL, Client ID: a1cefeb8-bad3-4903-8dbe-fdea347f666e Removing Dead Connection, Client ID: a1cefeb8-bad3-4903-8dbe-fdea347f666e Active Connections: 0 New Connection from 192.168.2.164:41526 with Client ID: a94811d3-0872-4b63-a429- 97f980fdc42d Read: 89 bytes from 192.168.2.164:41526 Sent: 145 bytes to 192.168.2.164:41526 Read: 6 bytes from 192.168.2.164:41526 Read: 53 bytes from 192.168.2.164:41526 Handshake Success, Client ID: a94811d3-0872-4b63-a429-97f980fdc42d Read: 213 bytes from 192.168.2.164:41526 Message Client ID: SSL renegotiation: request client cert Handshake Success, Client ID: a94811d3-0872-4b63-a429-97f980fdc42d Sent: 37 bytes to 192.168.2.164:41526 Read: 133 bytes from 192.168.2.164:41526 Sent: 805 bytes to 192.168.2.164:41526 Read: 1093 bytes from 192.168.2.164:41526 Read: 165 bytes from 192.168.2.164:41526 Read: 90 bytes from 192.168.2.164:41526 Sent: 90 bytes to 192.168.2.164:41526 Handshake Success, Client ID: a94811d3-0872-4b63-a429-97f980fdc42d -----Original Message----- From: Aurélien Terrestris [mailto:aterrest...@gmail.com] Sent: Tuesday, October 13, 2015 2:55 PM To: Tomcat Users List Subject: Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac "How do you force Java 8 to use SSLv2Hello?" You can do this when writing your own Java client : calling the SSLSocketFactory to create an SSLSocket and configure with setEnabledProtocols ( https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocket.html#setEnabledProtocols-java.lang.String:A- ) If you have some IIS server on internet which reproduces the problem, I'll try with JTouch ( jtouch.sourceforge.net ) or write a small client. 2015-10-13 22:22 GMT+02:00 Aurélien Terrestris <aterrest...@gmail.com>: > George, > > do you have any network capture that we can see ? > > 2015-10-13 22:10 GMT+02:00 George Stanchev <gstanc...@serena.com>: > >> >> It might be doable with OpenSSL s_client or something. Tough to >> replicate Java's behavior with a non-Java tool, though. >> >> I tried hard with the s_client but it can limit the protocols to one >> or another but it canot mix-and-match (hello 1.2, ok we will do 1.0) >> like Java >> 8 does. Either TLSv1 or TLSv1.2 but not both. Neither can curl which >> is also on top of openssl. >> >> Today, I spent 2.5 hours with a lemming from MS getting basically >> nowhere. I really need an engineer, but they give me those clueless >> support people that is wasting mine and their time. If someone knows >> how to escalate or a forum where MS developers hang out, I would appreciate >> it. >> The support person I got today was clueless, went over a script and >> any attempt to explain a little more technical details led to total >> confusion and rebooting the script to beginning. Totally frustrating. >> At least with Oracle I got to talk with an actual engineer... >> >> George >> >> >> -----Original Message----- >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Sent: Tuesday, October 13, 2015 2:03 PM >> To: Tomcat Users List >> Subject: Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, >> description = bad_record_mac >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> George, >> >> On 10/13/15 12:35 PM, George Stanchev wrote: >> > [1] states: " JDK 7-9 enables SSLv2Hello on the server side only. >> > (Will not send, but will accept SSLv2Hellos)" >> >> Interesting. This absolutely makes sense, though, since SSL should >> just die. :) >> >> > I've opened support case both MS and already there is a bug filed >> > with Oracle on this and really, to be absolutely certain if the >> > issue is in Java or SChannel, one would have to write a non-Java >> > client that that mimics the handshake messages send from Java with >> > something like OpenSSL or NSS or whatever and see if the bug replicates. >> >> It might be doable with OpenSSL s_client or something. Tough to >> replicate Java's behavior with a non-Java tool, though. >> >> > Writing a Java/Java server client could still leave some doubts as >> > one can argue the code reuse could mask the problem - it works but >> > the bug on the client side is hidden by the server containing >> > similar/same bug so the MACs check out... >> > >> > Unfortunately I don't have the time to invest in this more than I >> > already had. And if MS support engineers can pass it on to someone >> > from the windows core team may be we can have some movement forward. >> >> Okay. Thanks for your work so far. >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> >> iQIcBAEBCAAGBQJWHWNuAAoJEBzwKT+lPKRYgWAP/A8fUJ5Dzu+O46GNWpdobqq0 >> 7ugkb2cQ1VM92Q+22Wtl87GSRPhBS8jwNrBBCJmoyBjRZ/LKVcwtcWLzUIBllXm5 >> t8iorXpQxaps1G0AEEf5tAwHXyN75J2vC9qvRvD6dkekHXHwO3RRqvSCqQjEjeVJ >> XsOdjuIhPwX0B0SN8Apdshvxe98sC9QPn73LNdSM9+j8Ob1vCDHDiMFj60K72Su1 >> E0UmPYEJdhb5D+PvSM/7CMcAlkJYmCl8VlNFWD320ymjObfIMymfOk+kqKLqVItQ >> +r2e20At1qCyeyg2Gcxb4X1ajIhcxdgP7WJYtg57Pwrp4ZVZ6d7RM+CIqt28SfxT >> EtTamDZ8aPYsCKqMWIYRPyLrWaouEuLJEmzweF8B+NxY0svK8vEOiro/vR4LycOZ >> PG5zxuS/QMJR2oEgkeUz9+NhB8nP/qJxMhc40pKGmvZxC7ljM/tP7jTvE1MwmMHE >> P8rX5b3yF8DfMdGZdIlrHJ8wXYSzJdTMJvA5ffXVKaObGMYtAFFDlfupud1iO9ML >> Hh4exxX+/NU7fXt+ot6BLEFAfDD9+z6uOeq+vK6bxaITubFVGIavhowjAgQIBNt3 >> O//p9dJQVKan0db9kqyLpLMrrFYd/cmA8DZDxoY/iaVuoKhJ6blbDMQKi2DlsvgF >> WGDHUsSBZIYTFq5mc7VO >> =eyUN >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
