-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jason,
On 1/20/15 4:17 AM, Jason Y wrote: > Recently my application cannot be accessible in browser with https > version. I think it is due to vulnerability in ssl 3.0 issue. > > I checked my tomcat configuration and replaced sslProtocol="TLS" > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL > 3.0. > > <Connector port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" redirectPort="8443" /> <Connector > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009" > protocol="AJP/1.3" redirectPort="8443" /> None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any "SSL" protocols and only use the "TLS" ones, so if you are running something recent, you should be okay. > Then I can open my application https link in browser. BUT, good > time never lasts too long, after several hours, I failed to access > my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? > Anyone has any ideas about this? please share your suggestions...My > tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org