its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property.
On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> wrote: > Thank you all. Now it is working fine. > > <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" > clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" /> > > By the way, do I need "ciphers" properties here? > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Jason, > > > > On 1/20/15 4:17 AM, Jason Y wrote: > > > Recently my application cannot be accessible in browser with https > > > version. I think it is due to vulnerability in ssl 3.0 issue. > > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL > > > 3.0. > > > > > > <Connector port="8080" protocol="HTTP/1.1" > > > connectionTimeout="20000" redirectPort="8443" /> <Connector > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009" > > > protocol="AJP/1.3" redirectPort="8443" /> > > > > None of the responses you have gotten thus far are useful in any way. > > > > Your configuration looks fine to me: sslEnabledProtocols is the way to > > go, although in recent versions of Tomcat the default is NOT to > > include any "SSL" protocols and only use the "TLS" ones, so if you are > > running something recent, you should be okay. > > > > > Then I can open my application https link in browser. BUT, good > > > time never lasts too long, after several hours, I failed to access > > > my https link again. > > > > What kinds of errors do you get? What do the logs say? What are the > > URLs you are using? > > > > > Anyone has any ideas about this? please share your suggestions...My > > > tomcat version is 7.0.55 > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you > > should definitely keep your above configuration. There is no need to > > add a trust store or cipher specification to that. > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1 > > Comment: GPGTools - http://gpgtools.org > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo > > G5/ksEFNFSc9+yQSSC1H > > =PVop > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >
