You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Anthony <ma...@yahoo.com> on 2012/02/21 21:41:09 UTC
SSLProtocol with TLSv1+SSLv3 or SSLv3+TLSv1 does not work APR based Apache Tomcat Native 1.1.20 or 1.1.22
Referring to
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279&view=log
there something thats broke that does not support TLSv1+SSLv3. Tomcat Version 6.0.35 APR Details :
INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true]. Tomcat Server.xml
<Connector port="30002" SSLCipherSuite="HIGH:!ADH:!MD5"
SSLCertificateFile="/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.crt"
SSLCertificateKeyFile="/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.key"
SSLPassword="xxx" SSLProtocol="TLSv1+SSLv3" address="0.0.0.0" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"/> Error noticed in logs: --
Feb 19, 2012 10:22:57 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:724) at
org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at
org.apache.catalina.connector.Connector.initialize(Connector.java:1049) at
org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Feb 19, 2012 10:22:57 PM org.apache.catalina.core.StandardService initialize
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-30002]]
LifecycleException: Protocol handler initialization failed:
java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute at
org.apache.catalina.connector.Connector.initialize(Connector.java:1051) at
org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Feb 19, 2012 10:22:57 PM org.apache.coyote.ajp.AjpAprProtocol init Is there a work around to this issue.
-----
Tomcat 6.0.35 does not work with older 1.1.20 of the APR
Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init
INFO: An older version 1.1.20 of the APR based Apache Tomcat Native library is
installed, while Tomcat recommends version greater than 1.1.22
Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true].
Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-0.0.0.0-30221
Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:724)
at
org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1049)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Feb 21, 2012 1:38:55 PM org.apache.catalina.core.StandardService initialize
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-30222]]
LifecycleException: Protocol handler initialization failed:
java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
SSLProtocol attribute
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1051)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
How can this be resolved..Can a intermediate fix be supplied..
Re: SSLProtocol with TLSv1+SSLv3 or SSLv3+TLSv1 does not work APR
based Apache Tomcat Native 1.1.20 or 1.1.22
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/2/22 Mark Anthony <ma...@yahoo.com>:
> Referring to
> http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279&view=log
> there something thats broke that does not support TLSv1+SSLv3. Tomcat Version 6.0.35 APR Details :
> INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
> Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true]. Tomcat Server.xml
> (...)
>
Read the docs - there is no such value as "TLSv1+SSLv3".
The old versions just fall back to the value of "all" when facing an
unrecognized value. The new version treats this misconfiguration as
fatal error.
Some time recently the support for arbitrary tls protocol combinations
was implemented in trunk, but that new feature has not been backported
to 6.0 yet. Note that it will require certain version of
Tomcat-Native.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLProtocol with TLSv1+SSLv3 or SSLv3+TLSv1 does not work APR
based Apache Tomcat Native 1.1.20 or 1.1.22
Posted by Rainer Jung <ra...@kippdata.de>.
On 21.02.2012 21:41, Mark Anthony wrote:
> Referring to
> http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?r1=1149279&view=log
> there something thats broke that does not support TLSv1+SSLv3.
No it didn't break it.
> Tomcat Version 6.0.35 APR Details :
> INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
> Feb 19, 2012 10:22:55 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true]. Tomcat Server.xml
> <Connector port="30002" SSLCipherSuite="HIGH:!ADH:!MD5"
> SSLCertificateFile="/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.crt"
> SSLCertificateKeyFile="/local/Tomcat6/0/cluster/machine0/tc6u/tomcat.key"
> SSLPassword="xxx" SSLProtocol="TLSv1+SSLv3" address="0.0.0.0" SSLEnabled="true"
TLSv1+SSLv3 is not allowed for Tomcat 6. It might be possible in the
forthcoming version 6.0.36. It does work for Tomcat 7.
> maxThreads="150" scheme="https" secure="true"/> Error noticed in logs: --
> Feb 19, 2012 10:22:57 PM org.apache.coyote.http11.Http11AprProtocol init
> SEVERE: Error initializing endpoint
> java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
> SSLProtocol attribute at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:724) at
> org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1049) at
> org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
> Feb 19, 2012 10:22:57 PM org.apache.catalina.core.StandardService initialize
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-30002]]
> LifecycleException: Protocol handler initialization failed:
> java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
> SSLProtocol attribute at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1051) at
> org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
> Feb 19, 2012 10:22:57 PM org.apache.coyote.ajp.AjpAprProtocol init Is there a work around to this issue.
Tomcat 6 does not allow that combination. If you didn't get an error
message with older releases this does not mean that it has actuzally worked.
> Tomcat 6.0.35 does not work with older 1.1.20 of the APR
Why do you think so?
> Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init
>
> INFO: An older version 1.1.20 of the APR based Apache Tomcat Native library is
> installed, while Tomcat recommends version greater than 1.1.22
This is an info message containing a recommendation. Not an error.
> Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init
>
> INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
>
> Feb 21, 2012 1:38:55 PM org.apache.catalina.core.AprLifecycleListener init
>
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true].
>
> Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-0.0.0.0-30221
>
> Feb 21, 2012 1:38:55 PM org.apache.coyote.http11.Http11AprProtocol init
>
> SEVERE: Error initializing endpoint
>
> java.lang.Exception: An invalid value [TLSv1+SSLv3] was provided for the
> SSLProtocol attribute
True, this value is not allowed, neither for Tomcat 6, nor for TC native
1.1.20.
Either switch to TC 7 or use some other protocol setting, like "ALL".
With a little luck, the next Tomcat 6 release will have that feature
backported from TC 7.
You can also apply the patch from
http://people.apache.org/~rjung/patches/tc6-apr-all-sslprotocol-r1145209.patch
and rebuild Tomcat 6.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org