Reputation: 31
"SSL23_GET_SERVER_HELLO:unknown protocol" After server upgrade
Recently we build new Windows 2012 server, with tomcat 7.0.57 and java version "1.8.0_45".
I am getting below error, when connecting from a client openssl. But working perfectly from IE.
New server:
OpenSSL> s_client -connect xxx.xxx.xxx.xxx:443
Loading 'screen' into random state - done
CONNECTED(00000130)
5724:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s
23_clnt.c:601:
OpenSSL>
Old server: (connecting fine)
OpenSSL> s_client -connect yyy.yyy.yyy.yyy:443
Loading 'screen' into random state - done
CONNECTED(00000114)
depth=1 /C=XX/O=YYYY CA1
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
.........
SSL handshake has read 3064 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
.......
Can any one tell why behaving like this??
New Server: Windows 2012 R2 / java version "1.8.0_45"/ Tomcat 7.0.57
Old Server: Windows 2003 / java version "1.6.0_31"/ Tomcat 6.0
Client: Windows 7 / Java 1.7.0_75
Upvotes: 0
Views: 2725
Answers (1)
Reputation: 20862
Both Java 1.8 and Tomcat 7.0.57 and later disable SSLv3 by default, Java 1.8 disabled SSLv2Hello by default, and OpenSSL uses SSLv2Hello and SSLv3 by default, so there is a protocol mismatch and the two sides can't properly complete the SSL/TLS handshake.
If you want to connect from OpenSSL s_client, use the -tls1 switch (or -tls1_1, etc.) and you should be able to connect.
If you want to re-enable SSLv3 in Tomcat, read the Configuration section of the Tomcat Users' Guide, specifically about the sslEnabledProtocols and sslProtocol attributes.
EDIT 2015-10-19 16:40 America/New_York
The above applies to Java-based connectors, which use the JVM's built-in JSSE for cryptography. If you use the native APR-base connector, OpenSSL will be used. The default behavior of OpenSSL will depend upon the version you have installed... as more recent versions have been released, the default protocols have been revised.
You can always use Tomcat's configuration to enable any protocol, as long as the underlying library (JSSE or OpenSSL) supports the protocol.
OpenSSL will use the exact protocol-specific handshake if you pick a single supported protocol (e.g. TLSv1 -> TLSv1 handshake, TLSv1.1 -> TLSv1.1 handshake, etc.) but will use SSLv2hello if you have more than one protocol enabled (e.g. SSLProtocol="TLSv1+TLSv1.1"). This is documented under the SSLProtocol attribute for Tomcat's HTTP connector.
If you are unsure, be very specific with your enabled protocols (regardless of connector type), and always test with a reputable test suite to determine which protocols are being properly-supported.
Upvotes: 2
Related Questions
- Tomcat 9 SSL/TLS -Failed to initialize component error
- Tomcat 8 ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- SSLHandshakeException: Received fatal alert: handshake_failure after Java 6 -> 8 upgrade
- tomcat 7 + ssl not working - ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- Java SSL: client handshake failure and server no cipher suites in common
- How to solve "no cipher suites in common" during SSL Handshake?
- Configuring SSL for Tomcat 7 leads to an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error
- SSL protocols not supported in Standalone Tomcat 7
- Tomcat SSL Cert Renewal Issue (SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure)
- SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number error when disabling ssl and enabling TLS