SSLv2Hello is disabled

1,320 views
Skip to first unread message

Bryan Pham

unread,
Aug 30, 2012, 8:54:22 PM8/30/12
to dropwiz...@googlegroups.com
Just using the example keystore  and pw
  ssl:
    keyStorePath: ./example.keystore
    keyStorePassword: example
 
Caused by: ! javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
! at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:468)
! at sun.security.ssl.InputRecord.read(InputRecord.java:374)
! at sun.security.ssl.EngineInputRecord.read(EngineInputRecord.java:309)
! at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:944)
! at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:887)
! at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
! at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
! at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:519)
! at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:354)
! at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:43)
! at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:661)
! at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1030)
!... 9 common frames omitted

Coda Hale

unread,
Aug 30, 2012, 9:21:35 PM8/30/12
to dropwiz...@googlegroups.com
Yes, SSLv2Hello is disabled.

That's intentional.

---
Coda Hale
http://codahale.com

Michael B

unread,
Feb 21, 2013, 6:21:04 AM2/21/13
to dropwiz...@googlegroups.com
So to revisit this but I recently ran into an issue with this and enabling SSLv2Hello seemed the only way.
# The list of supported SSL/TLS protocols. Dropwizard
# intentionally disables SSLv2Hello for security reasons.
Which security reasons precisely? Yes SSLv2 has issues but SSLv2Hello seems to be just a SSLv3/TLS1.1/TLS1.2 Hello message wrapped 
in a SSLv2 format so that clients connecting can upgrade to advertised newer protocol. Those clients start off in SSLv2 because of 
backwards compatibility(And the wrapped SSLv3/TLS1.1/TLS1.2 Hello message was included in the spec of the newer protocols for backwards 
compatibility/easy transition). Now I've googled try finding issues with this mechanism but had trouble finding them. (for SSLv2 there are plenty.)

Specifically IE9 and recent FF seem to still do this and fail to connect, chrome works fine without SSLv2Hello enabled.

Did I miss something and is there some other way to get it working in those browsers?

Kind regards,

Michael

Coda Hale

unread,
Feb 21, 2013, 9:50:30 AM2/21/13
to dropwiz...@googlegroups.com
When I did this, disabling SSLv2Hello was being recommended as mitigation for renegotiation vulnerabilities. That may not be the current thinking, I don't know. I'd accept a patch to change the defaults.
--
You received this message because you are subscribed to the Google Groups "dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-us...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 


--
Coda Hale
http://codahale.com
Reply all
Reply to author
Forward
0 new messages