Got another issue...Tomcat is working fine after restart but it cannot last
long.
Now I cannot access https pages with any browsers. I didn't find anything
useful in logs.
After a restart, it works well again.
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keystoreFile="lib/cert/xxxx.keystore"
keystorePass="xxxx" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah <sanaulla...@gmail.com> wrote:
> its not necessary to have ciphers properties but if you want to restrict
> the ciphers then you can use this property.
>
> On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> wrote:
>
> > Thank you all. Now it is working fine.
> >
> > <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> > clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx"
> > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />
> >
> > By the way, do I need "ciphers" properties here?
> >
> > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > Jason,
> > >
> > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > Recently my application cannot be accessible in browser with https
> > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > >
> > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > 3.0.
> > > >
> > > > <Connector port="8080" protocol="HTTP/1.1"
> > > > connectionTimeout="20000" redirectPort="8443" /> <Connector
> > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009"
> > > > protocol="AJP/1.3" redirectPort="8443" />
> > >
> > > None of the responses you have gotten thus far are useful in any way.
> > >
> > > Your configuration looks fine to me: sslEnabledProtocols is the way to
> > > go, although in recent versions of Tomcat the default is NOT to
> > > include any "SSL" protocols and only use the "TLS" ones, so if you are
> > > running something recent, you should be okay.
> > >
> > > > Then I can open my application https link in browser. BUT, good
> > > > time never lasts too long, after several hours, I failed to access
> > > > my https link again.
> > >
> > > What kinds of errors do you get? What do the logs say? What are the
> > > URLs you are using?
> > >
> > > > Anyone has any ideas about this? please share your suggestions...My
> > > > tomcat version is 7.0.55
> > >
> > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
> > > should definitely keep your above configuration. There is no need to
> > > add a trust store or cipher specification to that.
> > >
> > > - -chris
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1
> > > Comment: GPGTools - http://gpgtools.org
> > >
> > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> > > G5/ksEFNFSc9+yQSSC1H
> > > =PVop
> > > -----END PGP SIGNATURE-----
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>
