Thank you all. Now it is working fine.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />
By the way, do I need "ciphers" properties here?
On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jason,
>
> On 1/20/15 4:17 AM, Jason Y wrote:
> > Recently my application cannot be accessible in browser with https
> > version. I think it is due to vulnerability in ssl 3.0 issue.
> >
> > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > 3.0.
> >
> > <Connector port="8080" protocol="HTTP/1.1"
> > connectionTimeout="20000" redirectPort="8443" /> <Connector
> > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009"
> > protocol="AJP/1.3" redirectPort="8443" />
>
> None of the responses you have gotten thus far are useful in any way.
>
> Your configuration looks fine to me: sslEnabledProtocols is the way to
> go, although in recent versions of Tomcat the default is NOT to
> include any "SSL" protocols and only use the "TLS" ones, so if you are
> running something recent, you should be okay.
>
> > Then I can open my application https link in browser. BUT, good
> > time never lasts too long, after several hours, I failed to access
> > my https link again.
>
> What kinds of errors do you get? What do the logs say? What are the
> URLs you are using?
>
> > Anyone has any ideas about this? please share your suggestions...My
> > tomcat version is 7.0.55
>
> Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
> should definitely keep your above configuration. There is no need to
> add a trust store or cipher specification to that.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> G5/ksEFNFSc9+yQSSC1H
> =PVop
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
