Hi Chris,
The java servlet (in webapps folder) was written by a consultant and I
have only looked at parts of the source code and don't know all that it
does.
The purpose is to give external integrators a way in to our software
through a REST API.
We have made a reference client in python that connects, creates a
session and can send POST, GET, DELETE, etc.
This sample client will get this 'hello' ssl error with tomcat versions
greater than 7.0.68.
I have also tested a client in c++ that uses the POCO library. Same
hello error.
Since we have only specified the TLSv1.x protocols in the tomcat config
I assume the initial hello request is encapsulated in an SSL2 frame by
one of the TLSv1.x protocols.
The purpose of adding TLSv2Hello was to allow this initial hello request.
If the problem is the java servlet I'd like to correct it to not
encapsulate the hello request in an SSLv2/SSLv3 frame. Could this be the
problem or is it in the calling client?
/Magnus
On 2016-09-27 23:07, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Magnus,
>
> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>> We started out with tomcat 7.0.35 and got that running with our
>> REST servlet.
>>
>> When we upgraded to tomcat 7.0.63 we got this error when we tried
>> to create a new session:
>>
>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
> This is an error message from OpenSSL. Is this the client that is
> choking, or the server?
>
>> Through Google we found out that we needed to add "SSLv2Hello" to
>> the enabled protocols so we changed our connector in server.xml
>> like this (only added SSLv2Hello):
>>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
>> clientAuth="false" sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>> URIEncoding="UTF-8" />
>>
>> We upgraded to tomcat 7.0.68 and it works fine with above connector
>> in server.xml
> Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
> of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
> should no longer be necessary.
>
>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>> though we have SSLv2Hello in the enabled protocols:
>>
>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>>
>> What do we need to change in the server.xml file to bypass the ssl3
>> error this time?
> That depends upon where you are actually getting that error.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
> Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
> 2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
> qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
> f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
> iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
> PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
> eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
> fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
> eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
> 4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
> Xl8RIedkqiBvwpzihW2f
> =9GVJ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>
> ----------------------------------------------------------------------------------------------
> This E-mail is PLAIN text, not support HTML, see instruction below on how to
> report SPAM.
> -----------------------------------------------------------------------------------------------
> To submit spam as an attachment to an email message using a mail client:
> 1. Open a new email message.
> 2. Drag the spam email from the Inbox into the new email message.
> 3. Enter a...@websense.com in the To field.
> 4. Click Send.
> -----------------------------------------------------------------------------------------------
