You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kobe <rk...@mailcity.com> on 2011/11/06 01:40:02 UTC
SSL connect to APR fails - "bad version"
I build tcnative and apr from src with exist ver of openssl (means openssl
not
build my me). I load apr connector in tomcat as below.
when my client connect, I cannot connect: i get "bad version".
please explain what I do wrong?
server# ./apr-1-config --version
1.4.5
server#
server# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
server#
/// APR Connector Configuration in Tomcat6
<Connector port="443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLCertificateFile="server_certificate.pem"
SSLCertificateChainFile="cachain.pem"
SSLCertificateKeyFile="server.key"
/>
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
CONNECTED(00000003)
write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F))
0000 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d ....Z...V..N..>-
0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W..<...Uvu!|..7o
0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,.......9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./
0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................
0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..............
005f - <SPACES/NULS>
read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5))
0000 - 48 54 54 50 2f HTTP/
write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7))
0000 - 15 03 00 00 02 02 28 ......(
44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
$
thank you.
Kobe
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32788669.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Kobe <rk...@mailcity.com>.
many thanks again for your time and help.
Problem is: same openssl version working on another server
and successfuly setup SSLv3 connections with same client.
So I am thinking, there is misconfigure on this server. i would like
to find why this server respond with SSLv2 ClientHello instead of
SSLv3 ClientHello.
how do i find this misconfigurn?
/Kobe
Marvin Addison wrote:
>
> The following works as expected on my config (6.0.26) using the
> default protocols and cipher suite as in your config:
>
> $ openssl s_client -connect eiger:443 -debug -ssl3
> CONNECTED(00000003)
> ...
>
> Something in your SSL version jumped out at me:
>
> OpenSSL 0.9.8e-fips-rhel5
>
> Looks like you're running OpenSSL with the FIPS compliance features
> enabled, which may impose additional requirements on SSL negotiation.
> I can't provide any further insight, but hopefully it might point to
> an area for further investigation.
>
> M
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805994.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Marvin Addison <ma...@gmail.com>.
The following works as expected on my config (6.0.26) using the
default protocols and cipher suite as in your config:
$ openssl s_client -connect eiger:443 -debug -ssl3
CONNECTED(00000003)
...
Something in your SSL version jumped out at me:
OpenSSL 0.9.8e-fips-rhel5
Looks like you're running OpenSSL with the FIPS compliance features
enabled, which may impose additional requirements on SSL negotiation.
I can't provide any further insight, but hopefully it might point to
an area for further investigation.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL connect to APR fails - "bad version"
Posted by "Adamus, Steven J." <ST...@saic.com>.
Hi Kobe;
I can see why it looks like the server is sending the message, but I think there's some reference that's being missed. The SSL debug should show Client messages and Server messages.
One thing that's certain, the SSLv2 ClientHello is a client message sent by the client. This message is never sent by the server.
On a separate note, the APR is very strict about enforcing TLSv1. When it's configured for TLSv1, it immediately terminates the connection if it receives any SSLv2 ClientHello or SSLv3 Client Hello. If you have a server with an active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of SSLProtocol is "all' (default), "SSLv2", "SSLv3", or "SSLv2+SSLv3".
Regards,
Steve
________________________________
From: users-return-229208-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org on behalf of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - "bad version"
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS="... -Djavax.net.debug=ssl"
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello <<---- server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/>
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Kobe <rk...@mailcity.com>.
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS="... -Djavax.net.debug=ssl"
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello <<---- server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kobe,
On 11/8/11 2:01 PM, Kobe wrote:
> thank for your help. here is more info on my setup: tomcat version
> 6.0.29. And tomcat is startin clean; no ererors while loading.
>
> if I use tls1, I get same error as before ("bad version").
>
> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
> say -->
>
>
> if ((version>>8) != SSL3_VERSION_MAJOR) {
>
> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
> err; }
>
>
>
> so client is wanting ssl version 3. But i have same error with
> browser. i donot/cannot find what version browser wants - i Think
> it is 3.
Your web browser likely has SSL 2.0 disabled entirely. You should
check which types of SSL/TLS are enabled.
> So I am thinking, there is misconfigure on this server. i would
> like to find why this server respond with SSLv2 ClientHello instead
> of SSLv3 ClientHello.
Why do you think you are getting an SSLv2 reply?
> how do i find this misconfigurn?
Are you using the same version of openssl as the "client" as you are
using withing Tomcat? I wonder if the FIPS mode is tripping you up.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
tZQAnial2UmsG5FSBSkSclenImxf5YR+
=vgDW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Kobe <rk...@mailcity.com>.
thank for your help. here is more info on my setup: tomcat version 6.0.29.
And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before ("bad version").
when i test with openssl s_client, I check line 293 of s3_pkt.c. it say -->
if ((version>>8) != SSL3_VERSION_MAJOR)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
goto err;
}
so client is wanting ssl version 3. But i have same error with browser. i
donot/cannot find what
version browser wants - i Think it is 3.
Konstantin Kolinko wrote:
>
> 2011/11/6 Kobe <rk...@mailcity.com>:
>>
>> I build tcnative and apr from src with exist ver of openssl (means
>> openssl
>> not
>> build my me). I load apr connector in tomcat as below.
>>
>> when my client connect, I cannot connect: i get "bad version".
>> please explain what I do wrong?
>>
>>
>> server# ./apr-1-config --version
>> 1.4.5
>> server#
>> server# openssl version
>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>> server#
>>
>> /// APR Connector Configuration in Tomcat6
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> SSLCertificateFile="server_certificate.pem"
>> SSLCertificateChainFile="cachain.pem"
>> SSLCertificateKeyFile="server.key"
>> />
>>
>>
>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
>
>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
>
> And what happens with
> $ openssl s_client -connect server.xxx.net:443 -debug -tls1
> ?
>
> What is on line 293 in s3_pkt.c in the version of openssl the client
> side of the connection is using?
>
> I quick guess that client&server cannot negotiate protocol version.
> There are some options on <Connector> that might be used to configure
> protocols & ciphers that are supported.
>
> Note that
> - There were several security fixes in OpenSSL since that version that
> you are using.
> - You may try googling for your error message. It is mentioned a lot of
> times.
> - You are not mentioning what version of Tomcat x.y.z you are using.
> - There might be some messages in Tomcat log files. Does Tomcat start
> up cleanly?
>
> Re: Andre's question:
> That is openssl in command-line client mode, as a test whether it can
> connect to the server.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/6 Kobe <rk...@mailcity.com>:
>
> I build tcnative and apr from src with exist ver of openssl (means openssl
> not
> build my me). I load apr connector in tomcat as below.
>
> when my client connect, I cannot connect: i get "bad version".
> please explain what I do wrong?
>
>
> server# ./apr-1-config --version
> 1.4.5
> server#
> server# openssl version
> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> server#
>
> /// APR Connector Configuration in Tomcat6
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> SSLCertificateFile="server_certificate.pem"
> SSLCertificateChainFile="cachain.pem"
> SSLCertificateKeyFile="server.key"
> />
>
>
> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
And what happens with
$ openssl s_client -connect server.xxx.net:443 -debug -tls1
?
What is on line 293 in s3_pkt.c in the version of openssl the client
side of the connection is using?
I quick guess that client&server cannot negotiate protocol version.
There are some options on <Connector> that might be used to configure
protocols & ciphers that are supported.
Note that
- There were several security fixes in OpenSSL since that version that
you are using.
- You may try googling for your error message. It is mentioned a lot of times.
- You are not mentioning what version of Tomcat x.y.z you are using.
- There might be some messages in Tomcat log files. Does Tomcat start
up cleanly?
Re: Andre's question:
That is openssl in command-line client mode, as a test whether it can
connect to the server.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by André Warnier <aw...@ice-sa.com>.
Kobe,
nothing is wrong. It was just my lack of familiarity with the SSL client that was the
cause of my puzzlement. Konstantin's answer already cleared that up for me.
I was just wondering what you were trying to do, connecting to Tomcat with a command-line
client, and you did not provide a lot of contextual information along with your question,
to explain that. Had you for example added a phrase like "To check that the SSL
connection is working, I am trying to connect to Tomcat's SSL Connector using the OpenSSL
command-line client, and the answer I am getting is this : ..", things would have been
clearer, even for me.
You see, on the list we get all kinds of questions, from all kinds of people.
Sometimes posters here try to have Tomcat serve the morning coffee, and wonder why it
doesn't work. Sometimes they seem to think that this is the Apache httpd or Weblogic
support list.
André
Kobe wrote:
> Actually, whether it be webaccess or webservice access, i not follow
> your confusion. pleas explain why this is wrong.
>
> /Kobe
>
> Kobe wrote:
>> Tomcat is also a servlet container and may be used to host web services.
>> That is the case here. the web service client is hosted in a BEA weblogic
>> server
>> and attempts to connect to the web service over SSL.
>>
>> /Kobe
>>
>>
>> awarnier wrote:
>>> Kobe wrote:
>>>> I build tcnative and apr from src with exist ver of openssl (means
>>>> openssl
>>>> not
>>>> build my me). I load apr connector in tomcat as below.
>>>>
>>>> when my client connect, I cannot connect: i get "bad version".
>>>> please explain what I do wrong?
>>>>
>>>>
>>>> server# ./apr-1-config --version
>>>> 1.4.5
>>>> server#
>>>> server# openssl version
>>>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>>>> server#
>>>>
>>>>
>>>>
>>>> /// APR Connector Configuration in Tomcat6
>>>> <Connector port="443"
>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>> enableLookups="false" disableUploadTimeout="true"
>>>> acceptCount="100" scheme="https" secure="true"
>>>> SSLCertificateFile="server_certificate.pem"
>>>> SSLCertificateChainFile="cachain.pem"
>>>> SSLCertificateKeyFile="server.key"
>>>> />
>>>>
>>>>
>>>>
>>>>
>>>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
>>>> CONNECTED(00000003)
>>>> write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F))
>>>> 0000 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d
>>>> ....Z...V..N..>-
>>>> 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f
>>>> W..<...Uvu!|..7o
>>>> 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39
>>>> .+h|e..,.......9
>>>> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
>>>> .8.5.......3.2./
>>>> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09
>>>> ................
>>>> 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..............
>>>> 005f - <SPACES/NULS>
>>>> read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5))
>>>> 0000 - 48 54 54 50 2f HTTP/
>>>> write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7))
>>>> 0000 - 15 03 00 00 02 02 28 ......(
>>>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>>>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
>>>> $
>>>>
>>> Hi.
>>> I don't know if other members of this list will be as puzzled as I am,
>>> but it is not clear
>>> to me what you are trying to achieve.
>>> I mean that Tomcat is in principle a web server, normally answering web
>>> browser requests
>>> (via HTTP or HTTPS). What are you trying to do when you access it with
>>> the above type of
>>> client, and what are you sending to Tomcat, and why ?
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Kobe <rk...@mailcity.com>.
Actually, whether it be webaccess or webservice access, i not follow
your confusion. pleas explain why this is wrong.
/Kobe
Kobe wrote:
>
> Tomcat is also a servlet container and may be used to host web services.
> That is the case here. the web service client is hosted in a BEA weblogic
> server
> and attempts to connect to the web service over SSL.
>
> /Kobe
>
>
> awarnier wrote:
>>
>> Kobe wrote:
>>> I build tcnative and apr from src with exist ver of openssl (means
>>> openssl
>>> not
>>> build my me). I load apr connector in tomcat as below.
>>>
>>> when my client connect, I cannot connect: i get "bad version".
>>> please explain what I do wrong?
>>>
>>>
>>> server# ./apr-1-config --version
>>> 1.4.5
>>> server#
>>> server# openssl version
>>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>>> server#
>>>
>>>
>>>
>>> /// APR Connector Configuration in Tomcat6
>>> <Connector port="443"
>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> enableLookups="false" disableUploadTimeout="true"
>>> acceptCount="100" scheme="https" secure="true"
>>> SSLCertificateFile="server_certificate.pem"
>>> SSLCertificateChainFile="cachain.pem"
>>> SSLCertificateKeyFile="server.key"
>>> />
>>>
>>>
>>>
>>>
>>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
>>> CONNECTED(00000003)
>>> write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F))
>>> 0000 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d
>>> ....Z...V..N..>-
>>> 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f
>>> W..<...Uvu!|..7o
>>> 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39
>>> .+h|e..,.......9
>>> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
>>> .8.5.......3.2./
>>> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09
>>> ................
>>> 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..............
>>> 005f - <SPACES/NULS>
>>> read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5))
>>> 0000 - 48 54 54 50 2f HTTP/
>>> write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7))
>>> 0000 - 15 03 00 00 02 02 28 ......(
>>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
>>> $
>>>
>> Hi.
>> I don't know if other members of this list will be as puzzled as I am,
>> but it is not clear
>> to me what you are trying to achieve.
>> I mean that Tomcat is in principle a web server, normally answering web
>> browser requests
>> (via HTTP or HTTPS). What are you trying to do when you access it with
>> the above type of
>> client, and what are you sending to Tomcat, and why ?
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805704.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by Kobe <rk...@mailcity.com>.
Tomcat is also a servlet container and may be used to host web services.
That is the case here. the web service client is hosted in a BEA weblogic
server
and attempts to connect to the web service over SSL.
/Kobe
awarnier wrote:
>
> Kobe wrote:
>> I build tcnative and apr from src with exist ver of openssl (means
>> openssl
>> not
>> build my me). I load apr connector in tomcat as below.
>>
>> when my client connect, I cannot connect: i get "bad version".
>> please explain what I do wrong?
>>
>>
>> server# ./apr-1-config --version
>> 1.4.5
>> server#
>> server# openssl version
>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>> server#
>>
>>
>>
>> /// APR Connector Configuration in Tomcat6
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> SSLCertificateFile="server_certificate.pem"
>> SSLCertificateChainFile="cachain.pem"
>> SSLCertificateKeyFile="server.key"
>> />
>>
>>
>>
>>
>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
>> CONNECTED(00000003)
>> write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F))
>> 0000 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d ....Z...V..N..>-
>> 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W..<...Uvu!|..7o
>> 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,.......9
>> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./
>> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................
>> 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..............
>> 005f - <SPACES/NULS>
>> read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5))
>> 0000 - 48 54 54 50 2f HTTP/
>> write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7))
>> 0000 - 15 03 00 00 02 02 28 ......(
>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
>> $
>>
> Hi.
> I don't know if other members of this list will be as puzzled as I am, but
> it is not clear
> to me what you are trying to achieve.
> I mean that Tomcat is in principle a web server, normally answering web
> browser requests
> (via HTTP or HTTPS). What are you trying to do when you access it with
> the above type of
> client, and what are you sending to Tomcat, and why ?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805690.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Posted by André Warnier <aw...@ice-sa.com>.
Kobe wrote:
> I build tcnative and apr from src with exist ver of openssl (means openssl
> not
> build my me). I load apr connector in tomcat as below.
>
> when my client connect, I cannot connect: i get "bad version".
> please explain what I do wrong?
>
>
> server# ./apr-1-config --version
> 1.4.5
> server#
> server# openssl version
> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> server#
>
>
>
> /// APR Connector Configuration in Tomcat6
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> SSLCertificateFile="server_certificate.pem"
> SSLCertificateChainFile="cachain.pem"
> SSLCertificateKeyFile="server.key"
> />
>
>
>
>
> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
> CONNECTED(00000003)
> write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F))
> 0000 - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d ....Z...V..N..>-
> 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W..<...Uvu!|..7o
> 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,.......9
> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./
> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................
> 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 ..............
> 005f - <SPACES/NULS>
> read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5))
> 0000 - 48 54 54 50 2f HTTP/
> write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7))
> 0000 - 15 03 00 00 02 02 28 ......(
> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
> $
>
Hi.
I don't know if other members of this list will be as puzzled as I am, but it is not clear
to me what you are trying to achieve.
I mean that Tomcat is in principle a web server, normally answering web browser requests
(via HTTP or HTTPS). What are you trying to do when you access it with the above type of
client, and what are you sending to Tomcat, and why ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org