HTTPS Monitor fails after disabling SSLv3 on Tomcat 7 (APR connector)
I'm currently in the process of upgrading my Tomcat servers to Tomcat 7 using the APR connector with SSLv3 disabled. Here is my connector:
Everything seems to be working properly... e.g. going to a page via HTTPS serves up that page correctly. However, we're using an F5 load balancer and as soon as I disabled SSLv3, the configured health monitor started failing for that node/port. After some troubleshooting on the F5 side, I decided to try to diagnose with OpenSSL:
$ openssl s_client -connect casrept2.tc.columbia.edu:8443/cas/monitor.jsp
CONNECTED(00000003)
write:errno=54
Doing the same, but forcing TLSv1 (-tls1), I'm able to connect properly:
$ openssl s_client -connect casrept2.tc.columbia.edu:8443/cas/monitor.jsp -tls1
CONNECTED(00000003)
... cert chain, etc, etc
I'm wondering if that's what's causing the health monitor to fail. Either way though, I'm curious why I need to specifically force -tls1 for this to work. I would assume it should auto-negotiate the correct protocol?
This is the cipher list for the corresponding SSL client profile:
DEFAULT:!RC4:!SSLv3
And the one for the monitor:
DEFAULT
And finally, my SEND string:
GET /cas/monitor.jsp\r\n
Any ideas? Thanks!