java - "SSL23_GET_SERVER_HELLO:unknown protocol" After server upgrade -

-

recently build new windows 2012 server, tomcat 7.0.57 , java version "1.8.0_45".

i getting below error, when connecting client openssl. working ie.

new server:

openssl> s_client -connect xxx.xxx.xxx.xxx:443 loading 'screen' random state - done connected(00000130) 5724:error:140770fc:ssl routines:ssl23_get_server_hello:unknown protocol:.\ssl\s 23_clnt.c:601: openssl>

old server: (connecting fine)

openssl> s_client -connect yyy.yyy.yyy.yyy:443 loading 'screen' random state - done connected(00000114) depth=1 /c=xx/o=yyyy ca1 verify error:num=19:self signed certificate in certificate chain verify return:0 --- certificate chain ......... ssl handshake has read 3064 bytes , written 282 bytes --- new, tlsv1/sslv3, cipher edh-rsa-des-cbc3-sha server public key 2048 bit compression: none expansion: none ssl-session:     protocol  : tlsv1 cipher    : edh-rsa-des-cbc3-sha .......

can 1 tell why behaving this??

new server: windows 2012 r2 / java version "1.8.0_45"/ tomcat 7.0.57

old server: windows 2003 / java version "1.6.0_31"/ tomcat 6.0

client: windows 7 / java 1.7.0_75

both java 1.8 , tomcat 7.0.57 , later disable sslv3 default, java 1.8 disabled sslv2hello default, , openssl uses sslv2hello , sslv3 default, there protocol mismatch , 2 sides can't complete ssl/tls handshake.

if want connect openssl s_client, use -tls1 switch (or -tls1_1, etc.) , should able connect.

if want re-enable sslv3 in tomcat, read configuration section of tomcat users' guide, sslenabledprotocols , sslprotocol attributes.

edit 2015-10-19 16:40 america/new_york

the above applies java-based connectors, use jvm's built-in jsse cryptography. if use native apr-base connector, openssl used. default behavior of openssl depend upon version have installed... more recent versions have been released, default protocols have been revised.

you can use tomcat's configuration enable protocol, long underlying library (jsse or openssl) supports protocol.

openssl use exact protocol-specific handshake if pick single supported protocol (e.g. tlsv1 -> tlsv1 handshake, tlsv1.1 -> tlsv1.1 handshake, etc.) use sslv2hello if have more 1 protocol enabled (e.g. sslprotocol="tlsv1+tlsv1.1"). documented under sslprotocol attribute tomcat's http connector.

if unsure, specific enabled protocols (regardless of connector type), , test reputable test suite determine protocols being properly-supported.


Comments

Post a Comment

Popular posts from this blog

javascript - Chart.js (Radar Chart) different scaleLineColor for each scaleLine -

-
Image
i try , create radar chart using chart.js has various colours each scaleline, or coloured between scalelines. wondering if possible? from: to: i have working graph, though there doesn't seem method change individual scale lines. kind regards leigh you can extend radar chart type this, so chart.types.radar.extend({ name: "radaralt", initialize: function (data) { chart.types.radar.prototype.initialize.apply(this, arguments); var originalscaledraw = this.scale.draw; var ctx = this.chart.ctx; this.scale.draw = function () { var linewidth = this.linewidth; // bypasses line drawing in originalscaledraw this.linewidth = linewidth; originalscaledraw.apply(this, arguments); ctx.linewidth = this.linewidth; var scale = this; // draw chart.helpers.each(scale.ylabels, function (label, index) { // color of ...
Read more

apache - Error with PHP mail(): Multiple or malformed newlines found in additional_header -

-
suddenly have started receiving above error without changes having been made script. host 1and1 (i know...) the script still works fine on different server, , suspicion there must have been server config change has lead this, although hosts plead ignorance. there's no information on above error @ in google can find - have ideas? server running apache if helps. had similar problem. came out of blue. no php code changed. what changed: php upgraded 5.5.25-1 5.5.26. a security risk in php mail() function has been fixed , newlines in additional_headers allowed no more. because newlines mean: starts email message (and surely don't want inject newlines through headers followed evil message). what have worked fine, e.g. having newlines after headers or passing whole message additional_headers , function no more. solution : sanitize headers. no multiple newlines in additional_headers argument. these count "multiple or malformed newlines":...
Read more

java - Android – MapFragment overlay button shadow, just like MyLocation button -

-
Image
i'm struggling add shadow custom overlay button on google map. goal make custom button google's mylocation button. here's how app looks now: layout.xml <relativelayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" xmlns:map="http://schemas.android.com/apk/res-auto" android:layout_height="match_parent" android:layout_width="match_parent" style="@style/apptheme"> <fragment android:layout_width="match_parent" android:layout_height="match_parent" android:id="@+id/map" tools:context=".mapsactivity" android:name="com.google.android.gms.maps.supportmapfragment" android:layout_alignparentend="true" android:layout_alignparentstart="true" android:layout_alignparentbottom="true" ...
Read more