Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
Hi, Java ships cipher suites. We have printed all available cipher suites in our environment. Tomcat is not able to enable SSL with JRE 1.8.0_333. The error says that the client and the server couldn’t find a common cipher suite. 1. Which cipher suite to be updated in tomcat to enable SSL ? 2. Where do we need to update the cipher suite in tomcat ? server.xml ? Please advise me if there is any other way to fix the SSL issue. Thank you in advance. Regards, Pavan On Wed, Jun 15, 2022 at 1:34 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: > Hello, > Java already ships with a broad variety of cipher suites. > The crypto providers are listed in the file java.security. > As long as you don’t modify this file, SSL should work just fine in the > default java-configuration. > > Greetings, Thomas > > > > -Ursprüngliche Nachricht- > > Von: Pavan Kumar Tiruvaipati > > Gesendet: Mittwoch, 15. Juni 2022 09:56 > > An: thomas.hoffm...@speed4trade.com.invalid > > Cc: Tomcat Users List > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0 > > > > Hi, > > > > Thanks for the quick response. I will print all the available cipher > suites. > > > > Where do I need to update the cipher to support SSL ? > > > > > > Regards, > > Pavan > > > > On Wed, Jun 15, 2022 at 12:39 PM Thomas Hoffmann (Speed4Trade GmbH) > > wrote: > > > > > Hello, > > > > > > > -Ursprüngliche Nachricht- > > > > Von: Pavan Kumar Tiruvaipati > > > > Gesendet: Mittwoch, 15. Juni 2022 08:59 > > > > An: Christopher Schultz > > > > Cc: Tomcat Users List > > > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0 > > > > > > > > Hi, > > > > > > > > Tomcat server started successfully. > > > > > > > > I'm seeing the following error in the tomcat logs when SSL is > > > > enabled in server.xml > > > > > > > > Application is not able to run on https://localhost:8080. > > > > > > > > 2022-06-15 12:02:43,923 [http-3003-1] DEBUG > > > > *org.apache.tomcat.util.net.JIoEndpoint > > > > - Handshake failed* > > > > > > > > *javax.net.ssl.SSLHandshakeException: no cipher suites in common at > > > > sun.security.ssl.Alert.createSSLException(Unknown Source) * > > > > > > > > *at sun.security.ssl.Alert.createSSLException(Unknown Source) at > > > > sun.security.ssl.TransportContext.fatal(Unknown Source) * > > > > > > > > *at sun.security.ssl.TransportContext.fatal(Unknown Source) at > > > > sun.security.ssl.TransportContext.fatal(Unknown Source) at > > > > sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuit > > > > e(Un > > > > known > > > > Source) at > > > > sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown > > > > Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at > > > > sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown > > > > Source) at > > > > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unkno > > > > wn > > > > Source) at > > > > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown > > > > Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at > > > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at > > > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at > > > > sun.security.ssl.TransportContext.dispatch(Unknown Source) at > > > > sun.security.ssl.SSLTransport.decode(Unknown Source) at > > > > sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at > > > > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) > > > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at > > > > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at > > > > org.apache.tomcat.util.net > > > .jsse.JSSESocketFactory.handshake(JSSESocketFac > > > > tory.java:233) > > > > at > > > > org.apache.tomcat.util.net > > > .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7 > > > > 01) > > > > at org.apache.tomcat.util.net > > > .JIoEndpoint$Worker.run(JIoEndpoint.java:503) > > > > at java.lang.Thread.run(Unknown Source)* > > > > > > > > If I disable SSL in tomcat server.xml, It's working with Non-SSL ( > > > &g
Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
Hi, Thanks for the quick response. I will print all the available cipher suites. Where do I need to update the cipher to support SSL ? Regards, Pavan On Wed, Jun 15, 2022 at 12:39 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: > Hello, > > > -Ursprüngliche Nachricht- > > Von: Pavan Kumar Tiruvaipati > > Gesendet: Mittwoch, 15. Juni 2022 08:59 > > An: Christopher Schultz > > Cc: Tomcat Users List > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0 > > > > Hi, > > > > Tomcat server started successfully. > > > > I'm seeing the following error in the tomcat logs when SSL is enabled in > > server.xml > > > > Application is not able to run on https://localhost:8080. > > > > 2022-06-15 12:02:43,923 [http-3003-1] DEBUG > > *org.apache.tomcat.util.net.JIoEndpoint > > - Handshake failed* > > > > *javax.net.ssl.SSLHandshakeException: no cipher suites in common at > > sun.security.ssl.Alert.createSSLException(Unknown Source) * > > > > *at sun.security.ssl.Alert.createSSLException(Unknown Source) at > > sun.security.ssl.TransportContext.fatal(Unknown Source) * > > > > *at sun.security.ssl.TransportContext.fatal(Unknown Source) at > > sun.security.ssl.TransportContext.fatal(Unknown Source) at > > sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Un > > known > > Source) at > > sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown > > Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at > > sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown > > Source) at > > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown > > Source) at > > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown > > Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at > > sun.security.ssl.TransportContext.dispatch(Unknown Source) at > > sun.security.ssl.SSLTransport.decode(Unknown Source) at > > sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at > > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at > > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at > > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at > > org.apache.tomcat.util.net > .jsse.JSSESocketFactory.handshake(JSSESocketFac > > tory.java:233) > > at > > org.apache.tomcat.util.net > .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7 > > 01) > > at org.apache.tomcat.util.net > .JIoEndpoint$Worker.run(JIoEndpoint.java:503) > > at java.lang.Thread.run(Unknown Source)* > > > > If I disable SSL in tomcat server.xml, It's working with Non-SSL ( > > http://localhost:8080). > > > > Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any changes > > required to establish a handshake ? > > > > Please let me know if you need more details. > > > > > > Regards, > > Pavan > > > > On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > > Pavan, > > > > > > Please reply to the list and not me personally. > > > > > > On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote: > > > > > > > maxThreads="150" minSpareThreads="25" > > > maxSpareThreads="75" > > > > enableLookups="false" disableUploadTimeout="true" > > > > acceptCount="100" scheme="https" secure="true" > > > > connectionTimeout="2" > > > > clientAuth="false" algorithm="SunX509" > sslProtocol="TLS" > > > >keystoreFile="conf/certificate" keystorePass="x" > > > > useBodyEncodingForURI="true" > > > >SSLEnabled="true"/> > > > > > > That all looks pretty straightforward. > > > > > > When you say it's "not working", can you be more specific? Does the > > > Tomcat server start? Are there any errors or warnings in the logs? > > > > > > -chris > > > > > > > On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz > > > > mailto:ch...@christopherschultz.net>> > > > wrote: > > > > > > > > Pavan, > > > &
Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
Hi, Tomcat server started successfully. I'm seeing the following error in the tomcat logs when SSL is enabled in server.xml Application is not able to run on https://localhost:8080. 2022-06-15 12:02:43,923 [http-3003-1] DEBUG *org.apache.tomcat.util.net.JIoEndpoint - Handshake failed* *javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Alert.createSSLException(Unknown Source) * *at sun.security.ssl.Alert.createSSLException(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) * *at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Unknown Source) at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown Source) at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source) at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at sun.security.ssl.TransportContext.dispatch(Unknown Source) at sun.security.ssl.SSLTransport.decode(Unknown Source) at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:233) at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:701) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503) at java.lang.Thread.run(Unknown Source)* If I disable SSL in tomcat server.xml, It's working with Non-SSL ( http://localhost:8080). Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any changes required to establish a handshake ? Please let me know if you need more details. Regards, Pavan On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Pavan, > > Please reply to the list and not me personally. > > On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote: > > > maxThreads="150" minSpareThreads="25" > maxSpareThreads="75" > > enableLookups="false" disableUploadTimeout="true" > > acceptCount="100" scheme="https" secure="true" > > connectionTimeout="2" > > clientAuth="false" algorithm="SunX509" sslProtocol="TLS" > >keystoreFile="conf/certificate" keystorePass="x" > > useBodyEncodingForURI="true" > >SSLEnabled="true"/> > > That all looks pretty straightforward. > > When you say it's "not working", can you be more specific? Does the > Tomcat server start? Are there any errors or warnings in the logs? > > -chris > > > On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz > > mailto:ch...@christopherschultz.net>> > wrote: > > > > Pavan, > > > > On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote: > > > We have replaced JDK 1.8 with JRE 1.8.0_333. > > > > > > SSL configuration was working fine with Tomcat 6.0.45 before > > replacing JDK > > > with JRE. > > > > > > Now it's not working. > > > > > > In server.xml, SSL Protocol is set to "TLS". > > > > > > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ? > > > > > > Are there any specific protocols / versions to be used to enable > > SSL ? > > > > Please post your configuration. Remove any secrets that > may > > be in there (e.g. passwords). > > > > -chris > > >
Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
Pavan, Please reply to the list and not me personally. On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote: acceptCount="100" scheme="https" secure="true" connectionTimeout="2" clientAuth="false" algorithm="SunX509" sslProtocol="TLS" keystoreFile="conf/certificate" keystorePass="x" useBodyEncodingForURI="true" SSLEnabled="true"/> That all looks pretty straightforward. When you say it's "not working", can you be more specific? Does the Tomcat server start? Are there any errors or warnings in the logs? -chris On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz mailto:ch...@christopherschultz.net>> wrote: Pavan, On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote: > We have replaced JDK 1.8 with JRE 1.8.0_333. > > SSL configuration was working fine with Tomcat 6.0.45 before replacing JDK > with JRE. > > Now it's not working. > > In server.xml, SSL Protocol is set to "TLS". > > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ? > > Are there any specific protocols / versions to be used to enable SSL ? Please post your configuration. Remove any secrets that may be in there (e.g. passwords). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
Pavan, On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote: We have replaced JDK 1.8 with JRE 1.8.0_333. SSL configuration was working fine with Tomcat 6.0.45 before replacing JDK with JRE. Now it's not working. In server.xml, SSL Protocol is set to "TLS". Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ? Are there any specific protocols / versions to be used to enable SSL ? Please post your configuration. Remove any secrets that may be in there (e.g. passwords). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Thanks for your reply, Chris. I am providing solr search service on Linux server. My java version is 1.7_67(64bit) and tomcat version is 7.0.55 and tomcat Connector is: Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=500 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/path/**.keystore keystorePass=password / In my service I provide both REST and WSDL servie to call solr search by https. Everything worked well until one day(about in Nov, 2014) we found we could not open wsdl URL in any browsers while our clients' codes that calls solr search are always working fine. In the coming days, two clients' developers(.NET) raised some tickets complaining that they could not call solr service on their local machines(while their code on PROD running well and never failed). They said they could not even load wsdl in Visual Studio. At this time I realized that I should test it by myself so I tested(with java code) to call the service both by REST and by WSDL, and both worked fine. *My code to call WSDL is:* System.setProperty(javax.net.ssl.trustStore, certificationPath); Service service = new Service(); port = service.getPort(); // start add soap header Binding binding = ((BindingProvider) port).getBinding(); ListHandler handlerList = binding.getHandlerChain(); if (handlerList == null) handlerList = new ArrayListHandler(); handlerList.add(new SecurityHandler(username, password)); binding.setHandlerChain(handlerList); String query = q=Id:123456; long offset = 0; long limit = 100; HolderLong numFound = new HolderLong(); HolderLong start = new HolderLong(); HolderListSolrDocument doc=new HolderListSolrDocument(); port.search(query,offset,limit,numFound,start,doc); System.out.println(doc.value.size()); *My code to call REST service is:* SolrQuery query = new SolrQuery(); query.setQuery(*:*); System.setProperty(javax.net.ssl.trustStore, certificationPath); HttpSolrServer server = new HttpSolrServer( https://server_ip:8443/solr/solr_test;); query.setHighlight(true).setStart(1); query.setRows(15); ModifiableSolrParams paramsDemo = new ModifiableSolrParams(); paramsDemo.add(wt, json); paramsDemo.add(indent, true); paramsDemo.add(q, Id:123456); query.add(paramsDemo); QueryResponse queryResponse = server.query(query); Then I tried to disable SSL 3.0 on server by adding sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to the Connector in server.xml. After a restart, my service was running OK and my test code running OK and https wsdl URLs OK to open in browsers. But, about one hour later, all above test failed. *Error message when calling wsdl:* Exception in thread main javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server_ip:8443/solr_test_name?wsdl. It failed with: Received fatal alert: handshake_failure. at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:151) at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133) at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:254) at com.sun.xml.internal.ws.client.WSServiceDelegate.init(WSServiceDelegate.java:217) at com.sun.xml.internal.ws.client.WSServiceDelegate.init(WSServiceDelegate.java:165) at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:93) at javax.xml.ws.Service.init(Service.java:56) at com..webservice.Service.init(Service.java:42) at com..client.Test.main(Test.java:30) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure *Error message then calling REST:* IOException occured when talking to server at: [MY_REST_SERVICE_ADDRESS] *Error message when trying to open WSDL URL in browser:* SSL connection errorUnable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR My question is, after adding sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to the *Connector *in server.xml, is there anything else that I need to do? Such as: i) on server side JDK settings with -D =; ii) on client side with System.setProperties(,)? iii) or anything else?
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 2/2/15 4:46 AM, Jason Y wrote: Thanks for your reply, Chris. I am providing solr search service on Linux server. My java version is 1.7_67(64bit) and tomcat version is 7.0.55 and tomcat Connector is: Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=500 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/path/**.keystore keystorePass=password / In my service I provide both REST and WSDL servie to call solr search by https. Everything worked well until one day(about in Nov, 2014) we found we could not open wsdl URL in any browsers while our clients' codes that calls solr search are always working fine. In the coming days, two clients' developers(.NET) raised some tickets complaining that they could not call solr service on their local machines(while their code on PROD running well and never failed). They said they could not even load wsdl in Visual Studio. At this time I realized that I should test it by myself so I tested(with java code) to call the service both by REST and by WSDL, and both worked fine. *My code to call WSDL is:* System.setProperty(javax.net.ssl.trustStore, certificationPath); Service service = new Service(); port = service.getPort(); // start add soap header Binding binding = ((BindingProvider) port).getBinding(); ListHandler handlerList = binding.getHandlerChain(); if (handlerList == null) handlerList = new ArrayListHandler(); handlerList.add(new SecurityHandler(username, password)); binding.setHandlerChain(handlerList); String query = q=Id:123456; long offset = 0; long limit = 100; HolderLong numFound = new HolderLong(); HolderLong start = new HolderLong(); HolderListSolrDocument doc=new HolderListSolrDocument(); port.search(query,offset,limit,numFound,start,doc); System.out.println(doc.value.size()); *My code to call REST service is:* SolrQuery query = new SolrQuery(); query.setQuery(*:*); System.setProperty(javax.net.ssl.trustStore, certificationPath); HttpSolrServer server = new HttpSolrServer( https://server_ip:8443/solr/solr_test;); query.setHighlight(true).setStart(1); query.setRows(15); ModifiableSolrParams paramsDemo = new ModifiableSolrParams(); paramsDemo.add(wt, json); paramsDemo.add(indent, true); paramsDemo.add(q, Id:123456); query.add(paramsDemo); QueryResponse queryResponse = server.query(query); Then I tried to disable SSL 3.0 on server by adding sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to the Connector in server.xml. After a restart, my service was running OK and my test code running OK and https wsdl URLs OK to open in browsers. But, about one hour later, all above test failed. *Error message when calling wsdl:* Exception in thread main javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server_ip:8443/solr_test_name?wsdl. It failed with: Received fatal alert: handshake_failure. at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:151) at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133) at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:254) at com.sun.xml.internal.ws.client.WSServiceDelegate.init(WSServiceDelegate.java:217) at com.sun.xml.internal.ws.client.WSServiceDelegate.init(WSServiceDelegate.java:165) at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:93) at javax.xml.ws.Service.init(Service.java:56) at com..webservice.Service.init(Service.java:42) at com..client.Test.main(Test.java:30) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure *Error message then calling REST:* IOException occured when talking to server at: [MY_REST_SERVICE_ADDRESS] *Error message when trying to open WSDL URL in browser:* SSL connection errorUnable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR My question is, after adding sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to the *Connector *in server.xml, is there anything else that I need to do? Such as: i) on server side JDK settings with -D =; ii) on client side with System.setProperties(,)? iii) or anything else? You should not have to do anything else. The one thing I can think of is that some clients are trying to use an SSLv2hello handshake and you are not supporting one. I would imagine that most modern clients would try SSLv2hello and then switch to TLS if that didn't work (or, better yet, the other way around). Your Java 1.7 client will certainly be able to connect to either. I'm not sure about .NET clients, but they are probably smart, too. I'd like to know what changes
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/23/15 3:27 AM, Jason Y wrote: Thank you Chris for your reply. I think I was mislead by this error. My services--both REST and SOAP--are hosted by tomcat and used by downstream users with HTTPS. They are running well for long time until some day one of downstream developers reported that the WSDL URL cannot be accessible by his browsers and his code either. Now accessible .. how? 404 response? Unexpected content in response? Infinite timeout? Connection refused? At first I thought it was due to openSSL HeartBleed issue https://wiki.apache.org/tomcat/Security/Heartbleed or POODLE issue http://wiki.apache.org/tomcat/Security/POODLE. You have misunderstood the nature of those vulnerabilities. So I made respective changes to server.xml and then restarted my service. I added highlighted part as below: *Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx /* It ran well after the restart, but last not for long. Soon, the developer reported that he could not access the service again. It was NOT fixed and I am so confused. Was it ever working, or had this developer even checked the service after the restart? Yesterday, I was thinking why and how the user couldn't access the service? Why not test it by myself? So I rolled back all my changes and wrote code to call the service via REST and WSDL and both were running OK! Sounds like WORKSFORME. (Still I cannot open WSDL URL in my browsers, I think it is SSL issue.) What happens when you try to open that WSDL URL in your browser? Also, there is never a production user reporting this issue. So I think it might be something wrong with the developer's code (it is .NET code on which I have 0 knowledge), I will keep on watching this. .NET can certainly call-up a web server and request a resource. You need more details from this person. Direct them here if you'd rather not be a go-between. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUwr2KAAoJEBzwKT+lPKRY5G8QALcMs9brkM19I+EJSUAECXgB yk8PQ/Gtrn3tfN1lFh+m6AHLCYsb79tzTdjLJiVbtoIki9t2RDqFx3AIFJidVqZ7 uW4RnzJE4vgmKsLx6m5kkcjrW+4gwns2QO8eucfsyIyy6EtzvkXeJIXQBBBhf2F7 UKFkY4fjMlVN5yX6zTnOC9JT3JudAByWhbG0ERi7w1uTq2Jf43tBTMt6otL25Bqa 6i9glQPQdkVyelyCiyn4dBx4+C8DEWHr33XYgVP4n/XFN6uH31hdP0aV0BPnqZXg 3VEL59VScJHMwajQSwyQ9XpfE9/Wx2/BJLhyD7kiE90RSAR27kNIjVEGO+4nSmGv JywXaHosSfAbQltf37LcHBjsXgXk4Jeth27xGax/k5wiN6P+26SsKe943v9xO8GJ O+A6CvqhoKolRguszUcN7l+ueXQj1TYCrjTjuDrp9eDcaIN3+6RNXLG0lJAcnQ8i l3+8f6v8owRMv5R/5YGV6L912UoEi1q8v5RYY9Atp/Nk6cW7dFzQ1NXayiZrC7c0 OSQIJya8Cj6144TNFSQ0UcCFZcD/fi603PavrQxUxZIp0ZTgW1hay7qfsLBne5Ic t79WOUDOJjZDVTx6DHxpJwbaBX4qo1c0N+sNQP5G7uGRpOnGA/e3UJmuIld/0hw9 WSGaS1OUg68e2gnxz/2t =wzkK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Thank you Chris for your reply. I think I was mislead by this error. My services--both REST and SOAP--are hosted by tomcat and used by downstream users with HTTPS. They are running well for long time until some day one of downstream developers reported that the WSDL URL cannot be accessible by his browsers and his code either. At first I thought it was due to openSSL HeartBleed issue https://wiki.apache.org/tomcat/Security/Heartbleed or POODLE issue http://wiki.apache.org/tomcat/Security/POODLE. So I made respective changes to server.xml and then restarted my service. I added highlighted part as below: *Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx /* It ran well after the restart, but last not for long. Soon, the developer reported that he could not access the service again. It was NOT fixed and I am so confused. Yesterday, I was thinking why and how the user couldn't access the service? Why not test it by myself? So I rolled back all my changes and wrote code to call the service via REST and WSDL and both were running OK!(Still I cannot open WSDL URL in my browsers, I think it is SSL issue.) Also, there is never a production user reporting this issue. So I think it might be something wrong with the developer's code(it is .NET code on which I have 0 knowledge), I will keep on watching this. On Thu, Jan 22, 2015 at 11:01 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ason, On 1/22/15 1:26 AM, Jason Y wrote: What I changed in server.xml is adding sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1. If you want to be able to handle SSL handshakes (and not just TLS ones like some older clients might require), you'll need to enable SSLv2hello along with all the TLS versions you have specified above. BUT I noticed that I am using JSSE instead of APR, so I remoeved the listener Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / is this causing my error? No. Using the AprLifecycleListener won't hurt anything; you'll just get a warning on startup that the native library isn't available. I'm not quite convinced this is an SSL problem, since most clients can handle a TLS handshake these days. Back to the original problem: how long does your application work before it doesn't. When it doesn't work, what happens when you try to connect? Long timeout? Immediate connection refusal? Failed handshake? You need to provide more information. Can you summarize the problem again and give specifics? - -chris On Wed, Jan 21, 2015 at 11:39 PM, Jason Y day...@gmail.com wrote: You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ason, On 1/22/15 1:26 AM, Jason Y wrote: What I changed in server.xml is adding sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1. If you want to be able to handle SSL handshakes (and not just TLS ones like some older clients might require), you'll need to enable SSLv2hello along with all the TLS versions you have specified above. BUT I noticed that I am using JSSE instead of APR, so I remoeved the listener Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / is this causing my error? No. Using the AprLifecycleListener won't hurt anything; you'll just get a warning on startup that the native library isn't available. I'm not quite convinced this is an SSL problem, since most clients can handle a TLS handshake these days. Back to the original problem: how long does your application work before it doesn't. When it doesn't work, what happens when you try to connect? Long timeout? Immediate connection refusal? Failed handshake? You need to provide more information. Can you summarize the problem again and give specifics? - -chris On Wed, Jan 21, 2015 at 11:39 PM, Jason Y day...@gmail.com wrote: You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. -chris
Re: SSL issue in tomcat
You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ
RE: SSL issue in tomcat
-Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- -- --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
What I changed in server.xml is adding sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1. BUT I noticed that I am using JSSE instead of APR, so I remoeved the listener Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / is this causing my error? On Wed, Jan 21, 2015 at 11:39 PM, Jason Y day...@gmail.com wrote: You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P
Re: SSL issue in tomcat
then may be its not the issue of tomcat.you can check you firewall? may be your firewall dropping the correction after some time. try to connect the server from localhost using openssl s_client -connect hostname:8443 -debug may be you will found something use full. On Wed, Jan 21, 2015 at 11:43 AM, Jason Y day...@gmail.com wrote: Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Here is what I get with openssl s_client command: Loading 'screen' into random state - done CONNECTED(01E8) write to 0x2103650 [0x2103698] (124 bytes = 124 (0x7C)) - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .zQ... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ..@. 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b 20 ff a2 + .. 0060 - dc 75 81 67 91 ff 8a 7e-8e 37 ed ac f6 97 0e 83 .u.g...~.7.. 0070 - 66 46 8c 87 b8 1c b3 0a-7e 46 72 30 fF..~Fr0 read from 0x2103650 [0x2108bf8] (7 bytes = 7 (0x7)) - 15 03 01 00 02 02 28 ..( 13756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:596: On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah sanaulla...@gmail.com wrote: then may be its not the issue of tomcat.you can check you firewall? may be your firewall dropping the correction after some time. try to connect the server from localhost using openssl s_client -connect hostname:8443 -debug may be you will found something use full. On Wed, Jan 21, 2015 at 11:43 AM, Jason Y day...@gmail.com wrote: Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools -
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 8:53 PM, Jason Y wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? Usually, no. Your JRE has a set of supported ciphers and a subset of those are enabled by default. Tomcat will remove a subset of ciphers known to always be a bad idea (e.g. NULL). Tomcat 8 and trunk since about 6 months ago have had support for OpenSSL-style ciphers definitions, where you don't have to specify the exact set of ciphers you want. Instead, you can describe those ciphers which you do and do not want, and let those filters run against the ciphers supported by the JVM. - -chris On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUv74eAAoJEBzwKT+lPKRYxj8QAKyYHwuggY3NwO9HYmxPBFva kMH5c0DC8VzN+XiIaCvHr16OdwKFHKMtWyP4JI8J3PkPOhxreRhM31vz8hiK2TfE hyVOJxMAwqUSAMeuDuacSQG933ORc184iLgNbgOr15zGmfwyS5EHMFQjEO5m/HtI nJ54IWv0PPBJfYegNljd+qAai/At9iWBwmi5woO8evMaQK9WnokjcLZNAmKhKyX7 hvAbcBQFpNoPoI1dvOn/00Ke/GRu/KGVed1pikTVA8D5u75esxG6ZGf2ZX3GpbMk oSXwVxXLXY9yb6zcSxSKLdEjIO/kNFRHF6PYO7oxFtK9VH/NLpzPJWFszq53lxRt L5x03FkOqjX11tTgNedMSTKA9KrWiFhqXaa+0CPtaFfUKKaqnEIrlcN7mzrNaICo s7zpBHr19nLjMcEdbxIEWHMlWi1eA9S7yQihZIk7cilCuGQ5cwaHkSFjKcZl575D wwhuNLiRRbhXBqQeOoqEqsP4cX2IkV1SsOuCarLtQkdetDmFP/kicef125H1IIER ejFAaazbb+Ucz6/y1XuD19Q5hcKzvGxnwGo0hp1vqoq5PmZOUiG3tzX6KflfpFIt VLBrxsXWyJcsKWigixtxCIZ9oyQHB+4B17DkZjfC75a9y8rkh2e8nYpCXEBqYj4K /CrvXq2r1sQRtM7LN5vM =Luq1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/21/15 4:29 AM, Jason Y wrote: Here is what I get with openssl s_client command: Loading 'screen' into random state - done CONNECTED(01E8) write to 0x2103650 [0x2103698] (124 bytes = 124 (0x7C)) - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .zQ... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ..@. 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b 20 ff a2 + .. 0060 - dc 75 81 67 91 ff 8a 7e-8e 37 ed ac f6 97 0e 83 .u.g...~.7.. 0070 - 66 46 8c 87 b8 1c b3 0a-7e 46 72 30 fF..~Fr0 read from 0x2103650 [0x2108bf8] (7 bytes = 7 (0x7)) - 15 03 01 00 02 02 28 ..( 13756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:596: Use this: $ openssl s_client -tls1 -connect host:port If you want to be able to handle SSL2/3 handshakes, then you will want to enable SSLv2hello using the sslProtocolsEnabled attribute, like this: Connector [...] sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2hello / - -chris On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah sanaulla...@gmail.com wrote: then may be its not the issue of tomcat.you can check you firewall? may be your firewall dropping the correction after some time. try to connect the server from localhost using openssl s_client -connect hostname:8443 -debug may be you will found something use full. On Wed, Jan 21, 2015 at 11:43 AM, Jason Y day...@gmail.com wrote: Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. -chris - To
Re: SSL issue in tomcat
I don t think you will achieve what you want to via disabling SSL protocol using sslEnabledProtocols. The vulnerability I think it is due to vulnerability in ssl 3.0 issue. will not stop access to the application. You may want to revert your changes back, and check the firewall settings or anything that can block the ports 8443, 8080 etc... Is there any exception in catalina.out? -Utkarsh On Tue, Jan 20, 2015 at 2:47 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
Hello, Please keep SSLEnabled=true along with your existing configuration Connector... enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / Rajesh On Tue, Jan 20, 2015 at 2:47 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
Please follow the Apache document for the connector configuration. Here is the sample connector configuration Connector port=7443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=true sslProtocol=TLSv1.2 keystoreFile=/opt/certs/pay.jks keystorePass=*** keyAlias= truststoreFile=/opt/certs/trust.jks truststorePass=** ciphers=*/ [1] http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html On Tue, Jan 20, 2015 at 2:17 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
Thanks, Raj, Sanaullah and Dave. I am not sure if it is POODLE issue( http://wiki.apache.org/tomcat/Security/POODLE), this solution is the same with Raj's suggestion. I will try, thanks. On Tue, Jan 20, 2015 at 5:43 PM, Utkarsh Dave utkarshkd...@gmail.com wrote: I don t think you will achieve what you want to via disabling SSL protocol using sslEnabledProtocols. The vulnerability I think it is due to vulnerability in ssl 3.0 issue. will not stop access to the application. You may want to revert your changes back, and check the firewall settings or anything that can block the ports 8443, 8080 etc... Is there any exception in catalina.out? -Utkarsh On Tue, Jan 20, 2015 at 2:47 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rajesh, On 1/20/15 4:27 AM, Rajesh Biswas wrote: Please keep SSLEnabled=true along with your existing configuration Connector... enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / There is no sslProtocols configuration directive. - -chris On Tue, Jan 20, 2015 at 2:47 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnFcAAoJEBzwKT+lPKRYtGgP/iTkRdSJi6W4nRqtO8+pvamG DwioY20yFTiekP0hyc+FYxxKyS5gEjPqCMnW7celPBNe1qPAbWxu5JGIt0g3SUWV nuGg/8pJN2pGMF3ubG+liBANnvMU2kfXum21PzZi3ljqmvsTNRNTqnorBkEJVBaM tnGnTD1MCgOVfbBd4w1KO2VEybUQURD/ApyhgHqZy9isOt7vB5lHnOXfSJDoacNu sqzNr3gGHErBsqdLGd0K1XLBJSx+/Ts4oNzFltKK8oTmW++zmJf6OQwIOBScUMBr JRsxdj/MOoColRoCAJb9Mq4q0WIjMaerlBFCnMJOGigGVbEJ9FVBUGbRPJ/GOXu9 ZrxeA2FHxyPJIF+rvnl6JaBHrtnS/rvbnJGUhll4uwSjGhiXJCiK+XHkJJW/r1Wu s7GEF30wM94nfqPiT2LgRFe0vn9xs+zYiCaQSKfPgvq2kRVgkZM3TDbTcfMgazBp QSxXlzfgtD4aH/Ny/vc+3mIBUOnv3Fe9HMXjfdVzNMJwavAe48l6TOD79bVrqYZS wZq29RzTL5S1SsXY9RlSFKnGtvAomFTcEwfyCt55iUnOv9lD5zua+EfgFTUVaMJo afzz5qxkgkCoCNSWxmJBLNZCddXbmQsBqBCs4s/JE9y5XAJfZXmmwFXLDmkMcCiV 1C+pvkD/V3/6R4XzNk/w =q0C5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
