You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jesse Barnum <js...@360works.com> on 2013/08/24 18:10:35 UTC
APR connector does not work with SSL for Java 6 clients?
I am trying to use SSL with Tomcat and an APR connector. This is hosted on Ubuntu 13.04. I can make changes to the server, but not to the existing Java client.
For some reason, whenever a Java 6 client connects to the Tomcat server using SSL, it is not able to connect - the connection is reset by the server. However, the exact same Java code can connect to the same server on a different port hosted by Apache with SSL. In addition, non-Java code (like curl) can connect to the Tomcat SSL connection. I also tested with Java 7 and it works.
I have gotten this to work in Java 6 by forcing the Java client to use the TLSv1 protocol (-Dhttps.protocols=TLSv1). However, this is not a practical solution, because I cannot release an update at this time for our Java clients.
Since this works with Apache on the server, it seems to me that I should be able to make some sort of configuration change on the server to also work with Tomcat, without needing to change the Java clients.
In summary:
* Java 6 connecting to Tomcat APR with SSL = FAIL
* Java 7 connecting to Tomcat APR with SSL = good
* curl connecting to Tomcat APR with SSL = good
* Java 6 connecting to Apache SSL = good
* Java 7 connecting to Apache SSL = good
* curl connecting to Apache SSL = good
Here is some example Java code that illustrates the problem. The problem only occurs when running in Java 6.
public class SSLConnectTest {
public static void main(String[] args) throws Exception {
System.setProperty( "javax.net.debug", "all" );
testConnection( "https://secure2.360works.com" ); //Apache running SSL. This works.
testConnection( "https://secure2.360works.com:8443/" ); //Tomcat running SSL and APR. This fails.
}
private static void testConnection( String urlString ) throws IOException {
new URL( urlString ).openStream().close();
}
}
Here is what happens in the SSL handshake:
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1377233856 bytes = { 69, 128, 29, 114, 252, 186, 13, 192, 212, 243, 179, 208, 124, 196, 220, 137, 23, 124, 30, 226, 98, 148, 243, 6, 188, 230, 109, 119 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
Disconnected from the target VM, address: '127.0.0.1:62146', transport: 'socket'
Exception in thread "main" java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:422)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:460)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at java.net.URL.openStream(URL.java:1010)
at com.prosc.license.client.network.SSLConnectTest.testConnection(SSLConnectTest.java:22)
at com.prosc.license.client.network.SSLConnectTest.main(SSLConnectTest.java:18)
Here is the connector configuration in server.xml. I'm hoping that some change here will fix the problem:
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
sslProtocol="SSLv2+TLSv1+SSLv3"
SSLHonorCipherOrder="true"
protocol="org.apache.coyote.http11.Http11AprProtocol"
clientAuth="false" SSLCertificateFile="/etc/apache2/ssl.crt/secure2.360works.com.crt"
SSLCertificateKeyFile="/etc/apache2/ssl.crt/secure2.360works.com.key"
SSLCertificateChainFile="/etc/apache2/ssl.crt/secure2.360works.com.chcrt" />
--Jesse Barnum, President, 360Works
http://www.360works.com
Product updates and news on http://facebook.com/360Works
(770) 234-9293
== Don't lose your data! http://360works.com/safetynet/ for FileMaker Server ==
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR connector does not work with SSL for Java 6 clients?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jesse,
On 8/25/13 1:08 PM, Jesse Barnum wrote:
> On Aug 25, 2013, at 9:58 AM, Michael-O <19...@gmx.net> wrote:
>
>> 1. Did you configure mod_ssl and APR Connector the same way?
> I'm not sure how to make sure that they are configured
> identically. The syntax in server.xml is not identical to the
> syntax in apache2.conf. For example, in Apache's ssl.conf file, the
> directive: SSLProtocol all -SSLv2
>
> Does not work the same way in server.xml. In my connector element,
> I tried setting an attribute SSLProtocol="all -SSLv2", but that
> wouldn't parse at startup. I've tried SSLProtocol="TLSv1+SSLv3"
> and SSLProtocol="ALL", and they all fail with a connection reset
> message on the client. I also tried setting
> SSLCipherSuite="HIGH:!ADH" as you recommended, as well as
> "HIGH:MEDIUM:!aNULL:!MD5" which is the way I have it in Apache (the
> default value), but that didn't make any difference.
Try posting both your httpd.conf and server.xml configurations (i.e. the
relevant stuff, not the whole thing).
You might want to review
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html --
specifically the "SSLProtocol" attribute which lists the acceptable
values. Hint: your attempts above are not supported.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSGkylAAoJEBzwKT+lPKRYQmIP/R08IFCNU7HqBWUjfBiWQY7u
xT/25q8XALJSk/qe0JT3Cw2y+xtbknM4NFZMle/6SersuHZpM8w2FWr7Xesqj42n
pUxhT8/7STtsJrqPgk6Y9HoY9iQOS2UgVBh2pg6001orjZJGhHlZ0I4kllu8MlSd
0AndQdAjolHKnC3E1azhx5jNNujnL7qfIZ5xUtg1v5iietcGcnThKzKeGex9coE2
msDJTBFjDOH0KwU7Kri5j9AoT4mrRihPGWTQoQC7ml5UgCc6nnq2V0x0iIIv2x3x
QS6CXVRL5K2rIU9WnCNYX7HUT/PvreUu0/UKM6V+5YdxY6iCdp0iIgtRiLtq/1WK
FJu5d/241tKaiaXw0cYdN1caU5crovFdM/gYf7dqmPntGM8rW3fnQQyCfH6epSaR
JfhytitMnEBr2hI2EQRZUSFq6iM1qn/NHj8mVUhFK2YwSWOwMyvz+syEWzCAb/5D
z4uL90UloK3etCQH/ep0dpHKCmISlyXRDprdqP42/qMCAa48ejr+3rLQH8Jp74Qv
iqnEdNyccnnpwZp4fZXRxAoU/pSaFAQ1A527/Tjw4a8PkJwKgKoJGLDe/O0b6YHf
ZnoOJqKzPjhyZw/WBs8eg0daJAjJHYsYfPpFSnLyFEIH7AxqTvA702WyDOrYaShH
GoFWn67XT+MZpGocEtwP
=Dvf8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR connector does not work with SSL for Java 6 clients?
Posted by Jesse Barnum <js...@360works.com>.
On Aug 25, 2013, at 9:58 AM, Michael-O <19...@gmx.net> wrote:
> 1. Did you configure mod_ssl and APR Connector the same way?
I'm not sure how to make sure that they are configured identically. The syntax in server.xml is not identical to the syntax in apache2.conf. For example, in Apache's ssl.conf file, the directive:
SSLProtocol all -SSLv2
Does not work the same way in server.xml. In my connector element, I tried setting an attribute SSLProtocol="all -SSLv2", but that wouldn't parse at startup. I've tried SSLProtocol="TLSv1+SSLv3" and SSLProtocol="ALL", and they all fail with a connection reset message on the client. I also tried setting SSLCipherSuite="HIGH:!ADH" as you recommended, as well as "HIGH:MEDIUM:!aNULL:!MD5" which is the way I have it in Apache (the default value), but that didn't make any difference.
> 2. Did you inspect the traffic with Wireshark? Help me a lot.
I haven't used Wireshark, although I have called 'System.setProperty( "javax.net.debug", "all" )' which seems to give the same results in the Java console.
>
> Maybe you are running in a cypher mismatch too. What we do use is "TLSv1" and "HIGH:!ADH". Everything below TLSv1 is outdated and insecure. Though TLSv1 is (very) old too but it is the best match at the moment.
>
> Michael
--Jesse Barnum, President, 360Works
http://www.360works.com
Product updates and news on http://facebook.com/360Works
(770) 234-9293
== Don't lose your data! http://360works.com/safetynet/ for FileMaker Server ==
Re: APR connector does not work with SSL for Java 6 clients?
Posted by Michael-O <19...@gmx.net>.
Am 2013-08-25 14:21, schrieb Jesse Barnum:
> How come Java 6 can connect to SSL running on Apache without this
> setting, but not to Tomcat running APR/SSL?
>
> On Aug 24, 2013, at 12:15 PM, Michael-O <19...@gmx.net> wrote:
>
>> I had this problem months ago too. APR Connector ist fine. The
>> problem with Java 6 is that the URLConnection -- JSSE -- sends a
>> SSLv2Hello and this breaks everything. I have restricted this for
>> Java 6 clients at work. Java 7 does not suffer from this because
>> this is disabled by default.
First, do not top-post please.
1. Did you configure mod_ssl and APR Connector the same way?
2. Did you inspect the traffic with Wireshark? Help me a lot.
Maybe you are running in a cypher mismatch too. What we do use is
"TLSv1" and "HIGH:!ADH". Everything below TLSv1 is outdated and
insecure. Though TLSv1 is (very) old too but it is the best match at the
moment.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR connector does not work with SSL for Java 6 clients?
Posted by Jesse Barnum <js...@360works.com>.
How come Java 6 can connect to SSL running on Apache without this setting, but not to Tomcat running APR/SSL?
On Aug 24, 2013, at 12:15 PM, Michael-O <19...@gmx.net> wrote:
> I had this problem months ago too. APR Connector ist fine. The problem with Java 6 is that the URLConnection -- JSSE -- sends a SSLv2Hello and this breaks everything. I have restricted this for Java 6 clients at work. Java 7 does not suffer from this because this is disabled by default.
Re: APR connector does not work with SSL for Java 6 clients?
Posted by Michael-O <19...@gmx.net>.
Am 2013-08-24 18:10, schrieb Jesse Barnum:
> I am trying to use SSL with Tomcat and an APR connector. This is
> hosted on Ubuntu 13.04. I can make changes to the server, but not to
> the existing Java client.
>
> For some reason, whenever a Java 6 client connects to the Tomcat
> server using SSL, it is not able to connect - the connection is reset
> by the server. However, the exact same Java code can connect to the
> same server on a different port hosted by Apache with SSL. In
> addition, non-Java code (like curl) can connect to the Tomcat SSL
> connection. I also tested with Java 7 and it works.
>
> I have gotten this to work in Java 6 by forcing the Java client to
> use the TLSv1 protocol (-Dhttps.protocols=TLSv1). However, this is
> not a practical solution, because I cannot release an update at this
> time for our Java clients.
>
> Since this works with Apache on the server, it seems to me that I
> should be able to make some sort of configuration change on the
> server to also work with Tomcat, without needing to change the Java
> clients.
>
> In summary: * Java 6 connecting to Tomcat APR with SSL = FAIL * Java
> 7 connecting to Tomcat APR with SSL = good * curl connecting to
> Tomcat APR with SSL = good
>
> * Java 6 connecting to Apache SSL = good * Java 7 connecting to
> Apache SSL = good * curl connecting to Apache SSL = good [...]
I had this problem months ago too. APR Connector ist fine. The problem
with Java 6 is that the URLConnection -- JSSE -- sends a SSLv2Hello and
this breaks everything. I have restricted this for Java 6 clients at
work. Java 7 does not suffer from this because this is disabled by default.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org