Hi Kobe; 
I can see why it looks like the server is sending the message, but I think 
there's some reference that's being missed.  The SSL debug should show Client 
messages and Server messages. 
One thing that's certain, the SSLv2 ClientHello is a client message sent by the 
client.  This message is never sent by the server. 
On a separate note, the APR is very strict about enforcing TLSv1.  When it's 
configured for TLSv1, it immediately terminates the connection if it receives 
any SSLv2 ClientHello or SSLv3 Client Hello.  If you have a server with an 
active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of 
SSLProtocol is "all' (default), "SSLv2", "SSLv3", or "SSLv2+SSLv3". 


From: users-return-229208-STEVEN.J.ADAMUS=saic....@tomcat.apache.org on behalf 
of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - "bad version"

thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:

     // from ${CATALINA_HOME}/bin/setenv.sh:
     export JAVA_OPTS="... -Djavax.net.debug=ssl"

   # sh ${CATALINA_HOME}/bin/startup.sh

   // from client
    $ openssl s_client -connect server.xxx.net:443 -debug -ssl3

   // from ${CATALINA_HOME}/logs/catalina.out
   sending SSLv2 ClientHello       <<----   server issues only SSLv2

But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.

many tahnks.


Christopher Schultz-2 wrote:
> Hash: SHA1
> Kobe,
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>> if I use tls1, I get same error as before ("bad version").
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>> err; }
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
> Why do you think you are getting an SSLv2 reply?
>> how do i find this misconfigurn?
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
> - -chris
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/> 
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

View this message in context: 
Sent from the Tomcat - User mailing list archive at Nabble.com.

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to