SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number error when disabling ssl and enabling TLS

java ssl openssl tomcat6 poodle-attack
mahan07 picture mahan07 · Apr 13, 2015 · Viewed 31.3k times · Source

I am trying to disable SSL on my tomcat and trying to send request for my app on TLS Port but I am getting the following Error:

Failure in POSTing request to Manager: [SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]

Configuration I am using in server.xml is:

<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
            maxThreads="150" scheme="https" secure="true"
            clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/opt/certs/server.keystore" keystorePass="123456"
            truststoreFile="/opt/certs/server.truststore" truststorePass="123456"/>

Can anyone please tell me how should i run this on TLS?

The post request would be ulrencoded and would be somewhat like this after decoding https://:port//DataManager?a='1'?b='4'

The problem is it is working on SSLV3 but not on TLS,my question is do i need to add something extra on client side(Apache) which is on http and sending request to server(Tomcat) that is on HTTPS.

Result of running the command for checking TLSv1:

SSL handshake has read 2202 bytes and written 294 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 552BF0C890C7DEEDE02A2B1FB3FE7659DCD753C4458814A8104FF4EC8EEE65C5
    Session-ID-ctx:
    Master-Key: 2C482E9C0BEBF40CDDA378868A077391A387C94DA55ABC9997D1BB5139A1077D83364EED94DBE799CC82E8D46BC5FECB
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1428943048
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
read from 0x83a0798 [0x83a7293] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 18                                    .....
read from 0x83a0798 [0x83a7298] (24 bytes => 24 (0x18))
0000 - 87 53 37 c9 d2 5d 44 6b-94 c3 80 bd 17 3e 31 39   .S7..]Dk.....>19
0010 - 53 ac 52 bc e0 3b 53 89-                          S.R..;S.
closed
write to 0x83a0798 [0x83ab7e3] (29 bytes => 29 (0x1D))
0000 - 15 03 01 00 18 49 10 83-df 10 45 43 d5 9a 39 8f   .....I....EC..9.
0010 - de df ec 3d 8c 68 76 0f-67 ca a5 79 91            ...=.hv.g..y.

Answer

Steffen Ullrich picture Steffen Ullrich · Apr 13, 2015 
SSL-Session:
  Protocol  : TLSv1

As you can see, it uses TLSv1 successfully.

Failure in POSTing request to State Manager: [SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]

Don't let the SSL3_GET_RECORD confuse you. Since the record formats are same or similar functions with a name containing SSL3 get also used to process TLS data. It is not clear from your question what really is going on, but you might get this kind of message too if your application tries to do a TLSv12-only request against a server not supporting TLSv12.

Related questions

Change keystore password from no password to a non blank password

I have a jks keystore with no password. When I run the command keytool -list -keystore mykeystore.jks And it prompts me for the keystore password, I simply hit 'enter'. Please note that the keystore password IS NOT the default …

Read More
Will SSLContext.getInstance("TLS") supports TLS v1.1 and TLS v1.2 also?

In my java Code i am creating one instance of SSL Context using command SSLContext ctx = SSLContext.getInstance("TLS"); But in my tomcat server i am setting TLSv1.2 and i am getting handshake error. How we can support all the …

Read More
Generate certificates, public and private keys with Java

I'm looking for a java library or code to generate certificates, public and private keys on the fly without to use third party programs (such as openssl). I think something that is doeing keytool+openssl but from Java code. Consider …

Read More