Aurélien, I added good_run.pcap and bad_run.pcap to that dropbox location [1].
I also think this needs to be looked at by MS engineers. I am following up on my support case but really not getting anywhere... George [1] https://www.dropbox.com/sh/az1r3agxx4w8r7e/AACRGedBG3G5oh4-qE9652WNa?dl=0 -----Original Message----- From: Aurélien Terrestris [mailto:aterrest...@gmail.com] Sent: Thursday, October 15, 2015 7:43 AM To: Tomcat Users List Subject: Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac George, I'm not sure we can find any solution, but can we have a look at a pcap capture ? Esmond Pitt was posting sometimes, that would be a challenge for him. 2015-10-15 4:33 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net> : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Aurélien, > > On 10/14/15 5:59 PM, Aurélien Terrestris wrote: > > Still no solutions, I suppose.. > > > > Did you enable the SSLv2 Hello as suggested by Chris, and what's the > > result ? I tested a small client with Java 8, by adding > > -Djdk.tls.client.protocols="SSLv2Hello,TLSv1.2" at the command line, > > and I get my SSLv2 Hello. > > It looks like if you add SSLv2Hello to the list of protocols you'll > accept, you'll get an SSLv2Hello in there (abridged output): > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > ... > main, WRITE: TLSv1.2 Handshake, length = 221 main, WRITE: SSLv2 client > hello message, length = 140 main, READ: TLSv1.2 Handshake, length = 81 > main, READ: TLSv1.2 Handshake, length = 2779 main, READ: TLSv1.2 > Handshake, length = 589 main, READ: TLSv1.2 Handshake, length = 4 > main, WRITE: TLSv1.2 Handshake, length = 70 main, WRITE: TLSv1.2 > Change Cipher Spec, length = 1 main, WRITE: TLSv1.2 Handshake, length > = 40 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: > TLSv1.2 Handshake, length = 40 > > You just have to use a custom SSLSocketFactory that sets the protocols > you want to enable on the (client) socket. If one of the protocols you > use is "SSLv2Hello". > > Oddly enough, when *not* specifying SSLv2Hello, you'll get this > (abridged output): > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > ... > main, WRITE: TLSv1.2 Handshake, length = 221 main, READ: TLSv1.2 > Handshake, length = 89 main, READ: TLSv1.2 Handshake, length = 2779 > main, READ: TLSv1.2 Handshake, length = 589 main, READ: TLSv1.2 > Handshake, length = 4 main, WRITE: TLSv1.2 Handshake, length = 70 > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 main, WRITE: > TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change Cipher Spec, > length = 1 main, READ: TLSv1.2 Handshake, length = 40 > > When the SSLv2Hello "protocol" isn't enabled, you don't get the "main, > WRITE" and "main, READ" > > Note that I'm not trying anything with a client certificate, here. I > hope that helps somewhat. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJWHxCIAAoJEBzwKT+lPKRYCNQQAMJx3cHj3Rl8ieX+2cANmXfW > fHr0MPkHNIcbzpX5WWJaEqfhnYqQTk9TiY7rKxwjo3OtJtEG1bkm9tqeq4pzHJcX > oQ03/wMOKrNqqGoILcpdWgRpc0jylsx1GouJ2qmmCNvZO1fBdBhtAE49dvg4Hd+c > uOzet5CizkTIfbu/i2Rb/szC9T/mopvicOsoS7oe1EE7sJZKL4BU3ayun5KvFXvr > 0KbDRU0Btp3M0YcPP4R2MtExYROW9pwwb5UYJdmK8ZxHAsmhJsG8DzDQnywFEx3+ > cm2e0W5v5FMAAh3PBNqfl5VN/8uIlHkeLtCjDU0JCMCfguwTQbitPpyhatnRlE7z > K8FfdZUC2zBprX1HnJl5aT02u3STzRsyL5DWlVAKPC/OAUEYFO26Ira1K86ACpww > O7t6phwHfXdGIkT/GdT9i2DgGippj6/mAhgq6XUsAkVr9usK33pNP8q/jf/ORwq/ > Njf4d4vjRNw3W7UZ0w0NCgZ7dKdepC/x2sT6zugQugiLNQ+gHGQWfcOhrQsRsj8f > qHGU1E+94g5oQCqb14KWoZv8bAA2WYAqgUK3DK2icsiCEFqWd6Yb6gYcvIGsbV9t > g+Mtxfm5qjncCwHeyONd3uBWTjakZb7fIvk4di0pZcnZB7HFYx7/r0ndS+IRzUVS > LJxWiHhKQZ32QvVKtBxe > =zKZ4 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >