1

I am trying to disable SSL on my tomcat and trying to send request for my app on TLS Port but I am getting the following Error:

Failure in POSTing request to Manager: [SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]

Configuration I am using in server.xml is:

<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
            maxThreads="150" scheme="https" secure="true"
            clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/opt/certs/server.keystore" keystorePass="123456"
            truststoreFile="/opt/certs/server.truststore" truststorePass="123456"/>

Can anyone please tell me how should i run this on TLS?

The post request would be ulrencoded and would be somewhat like this after decoding https://:port//DataManager?a='1'?b='4'

The problem is it is working on SSLV3 but not on TLS,my question is do i need to add something extra on client side(Apache) which is on http and sending request to server(Tomcat) that is on HTTPS.

Result of running the command for checking TLSv1:

SSL handshake has read 2202 bytes and written 294 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 552BF0C890C7DEEDE02A2B1FB3FE7659DCD753C4458814A8104FF4EC8EEE65C5
    Session-ID-ctx:
    Master-Key: 2C482E9C0BEBF40CDDA378868A077391A387C94DA55ABC9997D1BB5139A1077D83364EED94DBE799CC82E8D46BC5FECB
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1428943048
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
read from 0x83a0798 [0x83a7293] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 18                                    .....
read from 0x83a0798 [0x83a7298] (24 bytes => 24 (0x18))
0000 - 87 53 37 c9 d2 5d 44 6b-94 c3 80 bd 17 3e 31 39   .S7..]Dk.....>19
0010 - 53 ac 52 bc e0 3b 53 89-                          S.R..;S.
closed
write to 0x83a0798 [0x83ab7e3] (29 bytes => 29 (0x1D))
0000 - 15 03 01 00 18 49 10 83-df 10 45 43 d5 9a 39 8f   .....I....EC..9.
0010 - de df ec 3d 8c 68 76 0f-67 ca a5 79 91            ...=.hv.g..y.
mahan07
  • 887
  • 4
  • 14
  • 32
  • Please post the exact URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername -debug`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, there's not enough information to help troubleshoot it. – jww Apr 13 '15 at 16:35
  • Thanks jww,please find my edited text and please let me know your suggestions.I got stuck with this since yesterday. – mahan07 Apr 13 '15 at 17:06
  • What is the servername and the URL you are using to connect to it? – jww Apr 13 '15 at 21:14
  • 1
    Hi jww,That problem is resolved,we have hardcoded this stuff on the client side.If i want to support TLS V1,TLS V1.1 and TLS V 1.2,how would i support.Is it only through SSLV23 method or some other way,because in sslv23 i again has to set options to disable SSLV3 like this SSL_CTX_set_options(cctx, SSL_OP_NO_SSLv3) – mahan07 Apr 21 '15 at 15:46

1 Answers1

2
SSL-Session:
  Protocol  : TLSv1

As you can see, it uses TLSv1 successfully.

Failure in POSTing request to State Manager: [SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]

Don't let the SSL3_GET_RECORD confuse you. Since the record formats are same or similar functions with a name containing SSL3 get also used to process TLS data. It is not clear from your question what really is going on, but you might get this kind of message too if your application tries to do a TLSv12-only request against a server not supporting TLSv12.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172