You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Persson, Magnus (SE-TLX)" <ma...@assaabloy.com> on 2016/09/27 14:29:23 UTC
How do deal with 'sslv3 alert handshake failure'?
Hi,
We started out with tomcat 7.0.35 and got that running with our REST
servlet.
When we upgraded to tomcat 7.0.63 we got this error when we tried to
create a new session:
{
"message": "[Errno 1] _ssl.c:507: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
}
Through Google we found out that we needed to add "SSLv2Hello" to the
enabled protocols so we changed our connector in server.xml like this
(only added SSLv2Hello):
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${catalina.base}/conf/keystore"
keystorePass="*" clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
URIEncoding="UTF-8" />
We upgraded to tomcat 7.0.68 and it works fine with above connector in
server.xml
When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
though we have SSLv2Hello in the enabled protocols:
{
"message": "[Errno 1] _ssl.c:507: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
}
What do we need to change in the server.xml file to bypass the ssl3
error this time?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
How do deal with 'sslv3 alert handshake failure'?
Posted by "Persson, Magnus (SE-TLX)" <ma...@assaabloy.com>.
Hi,
I really need to read up on https clients.
The referencec example written in python is using SSL23 and so did the
sample https client I wrote in c++ using POCO library. I found the
setting to switch to TSL1.x and now I can use tomcat 7.0.70 without
enabling the SSLv2Hello protocol.
Thanks for the help about removing the need to use SSLv2Hello.
/Magnus
On 2016-09-28 08:20, Persson, Magnus (SE-TLX) wrote:
> Hi Chris,
>
> The java servlet (in webapps folder) was written by a consultant and I
> have only looked at parts of the source code and don't know all that it
> does.
>
> The purpose is to give external integrators a way in to our software
> through a REST API.
> We have made a reference client in python that connects, creates a
> session and can send POST, GET, DELETE, etc.
>
> This sample client will get this 'hello' ssl error with tomcat versions
> greater than 7.0.68.
> I have also tested a client in c++ that uses the POCO library. Same
> hello error.
>
> Since we have only specified the TLSv1.x protocols in the tomcat config
> I assume the initial hello request is encapsulated in an SSL2 frame by
> one of the TLSv1.x protocols.
> The purpose of adding TLSv2Hello was to allow this initial hello request.
>
> If the problem is the java servlet I'd like to correct it to not
> encapsulate the hello request in an SSLv2/SSLv3 frame. Could this be the
> problem or is it in the calling client?
>
> /Magnus
>
> On 2016-09-27 23:07, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Magnus,
>>
>> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>>> We started out with tomcat 7.0.35 and got that running with our
>>> REST servlet.
>>>
>>> When we upgraded to tomcat 7.0.63 we got this error when we tried
>>> to create a new session:
>>>
>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>> This is an error message from OpenSSL. Is this the client that is
>> choking, or the server?
>>
>>> Through Google we found out that we needed to add "SSLv2Hello" to
>>> the enabled protocols so we changed our connector in server.xml
>>> like this (only added SSLv2Hello):
>>>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
>>> clientAuth="false" sslProtocol="TLS"
>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>> URIEncoding="UTF-8" />
>>>
>>> We upgraded to tomcat 7.0.68 and it works fine with above connector
>>> in server.xml
>> Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
>> of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
>> should no longer be necessary.
>>
>>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>>> though we have SSLv2Hello in the enabled protocols:
>>>
>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>>>
>>> What do we need to change in the server.xml file to bypass the ssl3
>>> error this time?
>> That depends upon where you are actually getting that error.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
>> Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
>> 2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
>> qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
>> f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
>> iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
>> PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
>> eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
>> fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
>> eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
>> 4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
>> Xl8RIedkqiBvwpzihW2f
>> =9GVJ
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ----------------------------------------------------------------------------------------------
>> This E-mail is PLAIN text, not support HTML, see instruction below on how to report SPAM.
>> -----------------------------------------------------------------------------------------------
>> To submit spam as an attachment to an email message using a mail client:
>> 1. Open a new email message.
>> 2. Drag the spam email from the Inbox into the new email message.
>> 3. Enter asa@websense.com in the To field.
>> 4. Click Send.
>> -----------------------------------------------------------------------------------------------
Re: How do deal with 'sslv3 alert handshake failure'?
Posted by "Persson, Magnus (SE-TLX)" <ma...@assaabloy.com>.
Chris,
In tomcat 7.0.68 we added SSLv2Hello to allow our clients to connect but
that do not work in versions after that. Maybe they changed the meaning
of that protocol addition.
However, I changed the C++ POCO client to only use TLSv1.x and removed
the SSLv2Hello protocol from tomcat config.
Works fine. I just need to change our reference implementation in python
to stop using SSL23 too (which I do not know how to yet but that's
another story).
I'm still learning the client and server parts of https and your
valuable information is really helpful.
Thanks for your help,
Magnus
On 2016-09-28 17:48, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Magnus,
>
> On 9/28/16 2:20 AM, Persson, Magnus (SE-TLX) wrote:
>> The java servlet (in webapps folder) was written by a consultant
>> and I have only looked at parts of the source code and don't know
>> all that it does.
>>
>> The purpose is to give external integrators a way in to our
>> software through a REST API. We have made a reference client in
>> python that connects, creates a session and can send POST, GET,
>> DELETE, etc.
> Understood. The implementation of the servlet is largely irrelevant,
> since Tomcat is handling the TLS configuration.
>
>> This sample client will get this 'hello' ssl error with tomcat
>> versions greater than 7.0.68. I have also tested a client in c++
>> that uses the POCO library. Same hello error.
> So you are using a C++ client using POCO. It looks like POCO is using
> OpenSSL under the hood.
>
>> Since we have only specified the TLSv1.x protocols in the tomcat
>> config I assume the initial hello request is encapsulated in an
>> SSL2 frame by one of the TLSv1.x protocols.
> That's not the exact mechanics, but it's close enough. The problem is
> that the TLS handshake is not compatible with the SSLv2Hello-based
> one. So if the server supports only TLS and the client is expecting to
> be able to initiate an SSLv2Hello, then the client will get an error.
>
>> The purpose of adding TLSv2Hello was to allow this initial hello
>> request.
> Understood.
>
>> If the problem is the java servlet I'd like to correct it to not
>> encapsulate the hello request in an SSLv2/SSLv3 frame. Could this
>> be the problem or is it in the calling client?
> You can't fix the client's behavior by modifying the server.
>
> If you want to use only TLSv1 or later, then the best thing to do
> would be to update the client to only use TLS and not use SSL at all.
>
> On the other hand, SSLv2Hello *should* work from within Tomcat. With a
> fresh Tomcat, if you add "SSLv2Hello" to the sslEnabledProtocols list,
> can you make a connection from a client that supports TLSv1+ and uses
> a SSLv2Hello handshake?
>
> - -chris
>
>> On 2016-09-27 23:07, Christopher Schultz wrote: Magnus,
>>
>> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>>>>> We started out with tomcat 7.0.35 and got that running with
>>>>> our REST servlet.
>>>>>
>>>>> When we upgraded to tomcat 7.0.63 we got this error when we
>>>>> tried to create a new session:
>>>>>
>>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>>> failure" }
>> This is an error message from OpenSSL. Is this the client that is
>> choking, or the server?
>>
>>>>> Through Google we found out that we needed to add
>>>>> "SSLv2Hello" to the enabled protocols so we changed our
>>>>> connector in server.xml like this (only added SSLv2Hello):
>>>>>
>>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>>>> maxThreads="150" scheme="https" secure="true"
>>>>> keystoreFile="${catalina.base}/conf/keystore"
>>>>> keystorePass="*" clientAuth="false" sslProtocol="TLS"
>>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>>>> URIEncoding="UTF-8" />
>>>>>
>>>>> We upgraded to tomcat 7.0.68 and it works fine with above
>>>>> connector in server.xml
>> Do you absolutely need to accept SSLv2Hello-formatted handshakes?
>> Most of the web has abandoned SSLv3 and below at this point, so
>> SSLv2Hello should no longer be necessary.
>>
>>>>> When we upgraded to tomcat 7.0.70 we got the sslv3 error
>>>>> again even though we have SSLv2Hello in the enabled
>>>>> protocols:
>>>>>
>>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>>> failure" }
>>>>>
>>>>> What do we need to change in the server.xml file to bypass
>>>>> the ssl3 error this time?
>> That depends upon where you are actually getting that error.
>>
>> -chris
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
> - -------------------------
>>>
> This E-mail is PLAIN text, not support HTML, see instruction below on
> how to report SPAM.
>>> ---------------------------------------------------------------------
> - --------------------------
>>>
> To submit spam as an attachment to an email message using a mail client:
>>> 1. Open a new email message. 2. Drag the spam email from the
>>> Inbox into the new email message. 3. Enter asa@websense.com in
>>> the To field. 4. Click Send.
>>> ---------------------------------------------------------------------
> - --------------------------
>> ---------------------------------------------------------------------
>>
>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX6+ZVAAoJEBzwKT+lPKRYKWoP/1pgpqvnsSh1gT1jIYbPGPNs
> uWMdmC4v1t/mlgC6bwz3GFyTpWlPQWGOIgX4bBbmP8ZSOMu9AjkWG6Jae5Mw2JAa
> SKiWaNy11P8ChZa5F2V812koK8DEPDYIdr3ZTmZvvBfTxQ79Z/kMcHWTjODO9T2S
> apltiMaNPO+nYR9PFwtNA7uM4ZodOfhlToies1B3MqoaneEx3UUcQpq0g8Bb9Kmj
> n8fyKVLuTltGbDu7Sh6kGeia3hRhDJyyjsS8R85dA02jtmX6i+GiPJOaR4b7wXp1
> MrQsN5LByUIeYpBIg8qbLC7+3qqydtVTtGmqDyRiRDNHhUAeG+7APq2lYoR1GVwG
> qML9UVaJU69cXlA+NhsLPiGBefu3+U9WePoViu8VoLxQ9LTJFhrJSgq1U5nsrP62
> YGnzl7DGYJXr3OWBc+SicyXrpSrjupYlofgM6f0zytQw0tFWD4SZfqjyjkYh+Oi9
> KTZ3mZ6vx9CuvStPiKw7MWrrrXmc9fEoekBcrYY70cOwrlI1ZN+vIsUMrtRCwVHE
> 495UgvzBRNy/M32VtLRpf5PHr0K/DFRxETLwDMailaCSfD2LuWU4kTTRR7FUilO6
> QkzL/v3mfA/a1BLSx4KiKSnSCPzzf1FaVvWQJt4c3NZdv26gDXkGuabnyFJ5XrXr
> xAIXPFqW8Xf4gNApIKq6
> =i4/b
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: How do deal with 'sslv3 alert handshake failure'?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Magnus,
On 9/28/16 2:20 AM, Persson, Magnus (SE-TLX) wrote:
> The java servlet (in webapps folder) was written by a consultant
> and I have only looked at parts of the source code and don't know
> all that it does.
>
> The purpose is to give external integrators a way in to our
> software through a REST API. We have made a reference client in
> python that connects, creates a session and can send POST, GET,
> DELETE, etc.
Understood. The implementation of the servlet is largely irrelevant,
since Tomcat is handling the TLS configuration.
> This sample client will get this 'hello' ssl error with tomcat
> versions greater than 7.0.68. I have also tested a client in c++
> that uses the POCO library. Same hello error.
So you are using a C++ client using POCO. It looks like POCO is using
OpenSSL under the hood.
> Since we have only specified the TLSv1.x protocols in the tomcat
> config I assume the initial hello request is encapsulated in an
> SSL2 frame by one of the TLSv1.x protocols.
That's not the exact mechanics, but it's close enough. The problem is
that the TLS handshake is not compatible with the SSLv2Hello-based
one. So if the server supports only TLS and the client is expecting to
be able to initiate an SSLv2Hello, then the client will get an error.
> The purpose of adding TLSv2Hello was to allow this initial hello
> request.
Understood.
> If the problem is the java servlet I'd like to correct it to not
> encapsulate the hello request in an SSLv2/SSLv3 frame. Could this
> be the problem or is it in the calling client?
You can't fix the client's behavior by modifying the server.
If you want to use only TLSv1 or later, then the best thing to do
would be to update the client to only use TLS and not use SSL at all.
On the other hand, SSLv2Hello *should* work from within Tomcat. With a
fresh Tomcat, if you add "SSLv2Hello" to the sslEnabledProtocols list,
can you make a connection from a client that supports TLSv1+ and uses
a SSLv2Hello handshake?
- -chris
> On 2016-09-27 23:07, Christopher Schultz wrote: Magnus,
>
> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>>>> We started out with tomcat 7.0.35 and got that running with
>>>> our REST servlet.
>>>>
>>>> When we upgraded to tomcat 7.0.63 we got this error when we
>>>> tried to create a new session:
>>>>
>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>> failure" }
> This is an error message from OpenSSL. Is this the client that is
> choking, or the server?
>
>>>> Through Google we found out that we needed to add
>>>> "SSLv2Hello" to the enabled protocols so we changed our
>>>> connector in server.xml like this (only added SSLv2Hello):
>>>>
>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="150" scheme="https" secure="true"
>>>> keystoreFile="${catalina.base}/conf/keystore"
>>>> keystorePass="*" clientAuth="false" sslProtocol="TLS"
>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>>> URIEncoding="UTF-8" />
>>>>
>>>> We upgraded to tomcat 7.0.68 and it works fine with above
>>>> connector in server.xml
> Do you absolutely need to accept SSLv2Hello-formatted handshakes?
> Most of the web has abandoned SSLv3 and below at this point, so
> SSLv2Hello should no longer be necessary.
>
>>>> When we upgraded to tomcat 7.0.70 we got the sslv3 error
>>>> again even though we have SSLv2Hello in the enabled
>>>> protocols:
>>>>
>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>> failure" }
>>>>
>>>> What do we need to change in the server.xml file to bypass
>>>> the ssl3 error this time?
> That depends upon where you are actually getting that error.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
- -------------------------
>>
>>
This E-mail is PLAIN text, not support HTML, see instruction below on
how to report SPAM.
>> ---------------------------------------------------------------------
- --------------------------
>>
>>
To submit spam as an attachment to an email message using a mail client:
>> 1. Open a new email message. 2. Drag the spam email from the
>> Inbox into the new email message. 3. Enter asa@websense.com in
>> the To field. 4. Click Send.
>> ---------------------------------------------------------------------
- --------------------------
>
>>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX6+ZVAAoJEBzwKT+lPKRYKWoP/1pgpqvnsSh1gT1jIYbPGPNs
uWMdmC4v1t/mlgC6bwz3GFyTpWlPQWGOIgX4bBbmP8ZSOMu9AjkWG6Jae5Mw2JAa
SKiWaNy11P8ChZa5F2V812koK8DEPDYIdr3ZTmZvvBfTxQ79Z/kMcHWTjODO9T2S
apltiMaNPO+nYR9PFwtNA7uM4ZodOfhlToies1B3MqoaneEx3UUcQpq0g8Bb9Kmj
n8fyKVLuTltGbDu7Sh6kGeia3hRhDJyyjsS8R85dA02jtmX6i+GiPJOaR4b7wXp1
MrQsN5LByUIeYpBIg8qbLC7+3qqydtVTtGmqDyRiRDNHhUAeG+7APq2lYoR1GVwG
qML9UVaJU69cXlA+NhsLPiGBefu3+U9WePoViu8VoLxQ9LTJFhrJSgq1U5nsrP62
YGnzl7DGYJXr3OWBc+SicyXrpSrjupYlofgM6f0zytQw0tFWD4SZfqjyjkYh+Oi9
KTZ3mZ6vx9CuvStPiKw7MWrrrXmc9fEoekBcrYY70cOwrlI1ZN+vIsUMrtRCwVHE
495UgvzBRNy/M32VtLRpf5PHr0K/DFRxETLwDMailaCSfD2LuWU4kTTRR7FUilO6
QkzL/v3mfA/a1BLSx4KiKSnSCPzzf1FaVvWQJt4c3NZdv26gDXkGuabnyFJ5XrXr
xAIXPFqW8Xf4gNApIKq6
=i4/b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do deal with 'sslv3 alert handshake failure'?
Posted by "Persson, Magnus (SE-TLX)" <ma...@assaabloy.com>.
Hi Chris,
The java servlet (in webapps folder) was written by a consultant and I
have only looked at parts of the source code and don't know all that it
does.
The purpose is to give external integrators a way in to our software
through a REST API.
We have made a reference client in python that connects, creates a
session and can send POST, GET, DELETE, etc.
This sample client will get this 'hello' ssl error with tomcat versions
greater than 7.0.68.
I have also tested a client in c++ that uses the POCO library. Same
hello error.
Since we have only specified the TLSv1.x protocols in the tomcat config
I assume the initial hello request is encapsulated in an SSL2 frame by
one of the TLSv1.x protocols.
The purpose of adding TLSv2Hello was to allow this initial hello request.
If the problem is the java servlet I'd like to correct it to not
encapsulate the hello request in an SSLv2/SSLv3 frame. Could this be the
problem or is it in the calling client?
/Magnus
On 2016-09-27 23:07, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Magnus,
>
> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>> We started out with tomcat 7.0.35 and got that running with our
>> REST servlet.
>>
>> When we upgraded to tomcat 7.0.63 we got this error when we tried
>> to create a new session:
>>
>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
> This is an error message from OpenSSL. Is this the client that is
> choking, or the server?
>
>> Through Google we found out that we needed to add "SSLv2Hello" to
>> the enabled protocols so we changed our connector in server.xml
>> like this (only added SSLv2Hello):
>>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
>> clientAuth="false" sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>> URIEncoding="UTF-8" />
>>
>> We upgraded to tomcat 7.0.68 and it works fine with above connector
>> in server.xml
> Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
> of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
> should no longer be necessary.
>
>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>> though we have SSLv2Hello in the enabled protocols:
>>
>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>>
>> What do we need to change in the server.xml file to bypass the ssl3
>> error this time?
> That depends upon where you are actually getting that error.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
> Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
> 2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
> qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
> f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
> iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
> PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
> eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
> fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
> eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
> 4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
> Xl8RIedkqiBvwpzihW2f
> =9GVJ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ----------------------------------------------------------------------------------------------
> This E-mail is PLAIN text, not support HTML, see instruction below on how to report SPAM.
> -----------------------------------------------------------------------------------------------
> To submit spam as an attachment to an email message using a mail client:
> 1. Open a new email message.
> 2. Drag the spam email from the Inbox into the new email message.
> 3. Enter asa@websense.com in the To field.
> 4. Click Send.
> -----------------------------------------------------------------------------------------------
Re: How do deal with 'sslv3 alert handshake failure'?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Magnus,
On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
> We started out with tomcat 7.0.35 and got that running with our
> REST servlet.
>
> When we upgraded to tomcat 7.0.63 we got this error when we tried
> to create a new session:
>
> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
This is an error message from OpenSSL. Is this the client that is
choking, or the server?
> Through Google we found out that we needed to add "SSLv2Hello" to
> the enabled protocols so we changed our connector in server.xml
> like this (only added SSLv2Hello):
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
> clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
> URIEncoding="UTF-8" />
>
> We upgraded to tomcat 7.0.68 and it works fine with above connector
> in server.xml
Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
should no longer be necessary.
> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
> though we have SSLv2Hello in the enabled protocols:
>
> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>
> What do we need to change in the server.xml file to bypass the ssl3
> error this time?
That depends upon where you are actually getting that error.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
Xl8RIedkqiBvwpzihW2f
=9GVJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do deal with 'sslv3 alert handshake failure'?
Posted by "Persson, Magnus (SE-TLX)" <ma...@assaabloy.com>.
Well...we have not specified SSLv2 or SSLv3 so the initial HELLO must
come from TLSv1.x that encapsulate it in an SSLv2 frame.
The whole purpose of the enabling the "SSLv2Hello" protocol was to allow
the initial encapsulated hello frame.
However, with tomcat version greater than 7.0.68 this is no longer
possible. I do not know how to solve it.
We did not create the webapp (java servlet) inhouse so I do not know if
the problem is the app or the calling client.
I assume it is the webapp though. I have tried connecting with a simple
client written in python (protocols are not specified) and a C++ client
that uses the POCO library for the https REST requests.
Both clients receive the SSL23_GET_SERVER_HELLO:sslv3 error.
On 2016-09-27 16:46, Jose María Zaragoza wrote:
> 2016-09-27 16:29 GMT+02:00 Persson, Magnus (SE-TLX)
> <ma...@assaabloy.com>:
>> Hi,
>>
>> We started out with tomcat 7.0.35 and got that running with our REST
>> servlet.
>>
>> When we upgraded to tomcat 7.0.63 we got this error when we tried to
>> create a new session:
>>
>> {
>> "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
>> }
>>
>> Through Google we found out that we needed to add "SSLv2Hello" to the
>> enabled protocols so we changed our connector in server.xml like this
>> (only added SSLv2Hello):
>>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.base}/conf/keystore"
>> keystorePass="*" clientAuth="false"
>> sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>> URIEncoding="UTF-8" />
>>
>> We upgraded to tomcat 7.0.68 and it works fine with above connector in
>> server.xml
>>
>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>> though we have SSLv2Hello in the enabled protocols:
>>
>> {
>> "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
>> }
>>
>> What do we need to change in the server.xml file to bypass the ssl3
>> error this time?
> Hello:
>
>
> I'm not sure but you can try these options:
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
>
>
> Note that SSLv2 and SSLv3 are inherently unsafe.
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ----------------------------------------------------------------------------------------------
> This E-mail is PLAIN text, not support HTML, see instruction below on how to report SPAM.
> -----------------------------------------------------------------------------------------------
> To submit spam as an attachment to an email message using a mail client:
> 1. Open a new email message.
> 2. Drag the spam email from the Inbox into the new email message.
> 3. Enter asa@websense.com in the To field.
> 4. Click Send.
> -----------------------------------------------------------------------------------------------
Re: How do deal with 'sslv3 alert handshake failure'?
Posted by Jose María Zaragoza <de...@gmail.com>.
2016-09-27 16:29 GMT+02:00 Persson, Magnus (SE-TLX)
<ma...@assaabloy.com>:
> Hi,
>
> We started out with tomcat 7.0.35 and got that running with our REST
> servlet.
>
> When we upgraded to tomcat 7.0.63 we got this error when we tried to
> create a new session:
>
> {
> "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
> }
>
> Through Google we found out that we needed to add "SSLv2Hello" to the
> enabled protocols so we changed our connector in server.xml like this
> (only added SSLv2Hello):
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="${catalina.base}/conf/keystore"
> keystorePass="*" clientAuth="false"
> sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
> URIEncoding="UTF-8" />
>
> We upgraded to tomcat 7.0.68 and it works fine with above connector in
> server.xml
>
> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
> though we have SSLv2Hello in the enabled protocols:
>
> {
> "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
> }
>
> What do we need to change in the server.xml file to bypass the ssl3
> error this time?
Hello:
I'm not sure but you can try these options:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
Note that SSLv2 and SSLv3 are inherently unsafe.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org