2011/11/6 Kobe <r...@mailcity.com>:
> I build tcnative and apr from src with exist ver of openssl (means openssl
> not
> build my me). I load apr connector in tomcat as below.
> when my client connect, I cannot connect: i get "bad version".
> please explain what I do wrong?
> server# ./apr-1-config  --version
> 1.4.5
> server#
> server# openssl version
> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> server#
>  /// APR Connector Configuration in Tomcat6
>  <Connector port="443"
>    protocol="org.apache.coyote.http11.Http11AprProtocol"
>    enableLookups="false" disableUploadTimeout="true"
>    acceptCount="100" scheme="https" secure="true"
>    SSLCertificateFile="server_certificate.pem"
>    SSLCertificateChainFile="cachain.pem"
>    SSLCertificateKeyFile="server.key"
>  />
> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3

> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:

And what happens with
$ openssl s_client -connect server.xxx.net:443 -debug -tls1

What is on line 293 in s3_pkt.c in the version of openssl the client
side of the connection is using?

I quick guess that client&server cannot negotiate protocol version.
There are some options on <Connector> that might be used to configure
protocols & ciphers that are supported.

Note that
- There were several security fixes in OpenSSL since that version that
you are using.
- You may try googling for your error message. It is mentioned a lot of times.
- You are not mentioning what version of Tomcat x.y.z you are using.
- There might be some messages in Tomcat log files. Does Tomcat start
up cleanly?

Re: Andre's question:
That is openssl in command-line client mode, as a test whether it can
connect to the server.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to