then may be its not the issue of tomcat.you can check you firewall? may be your firewall dropping the correction after some time.
try to connect the server from localhost using " openssl s_client -connect hostname:8443 -debug " may be you will found something use full. On Wed, Jan 21, 2015 at 11:43 AM, Jason Y <day...@gmail.com> wrote: > Got another issue...Tomcat is working fine after restart but it cannot last > long. > Now I cannot access https pages with any browsers. I didn't find anything > useful in logs. > After a restart, it works well again. > > <Connector executor="tomcatThreadPool" > port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" /> > <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" > clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > keystoreFile="lib/cert/xxxx.keystore" > keystorePass="xxxx" /> > <!-- Define an AJP 1.3 Connector on port 8009 --> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> > > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah <sanaulla...@gmail.com> wrote: > > > its not necessary to have ciphers properties but if you want to restrict > > the ciphers then you can use this property. > > > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> wrote: > > > > > Thank you all. Now it is working fine. > > > > > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" > > > maxThreads="150" SSLEnabled="true" scheme="https" > > > secure="true" > > > clientAuth="false" sslProtocol="TLS" > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > > > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" /> > > > > > > By the way, do I need "ciphers" properties here? > > > > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > > > ch...@christopherschultz.net> wrote: > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA256 > > > > > > > > Jason, > > > > > > > > On 1/20/15 4:17 AM, Jason Y wrote: > > > > > Recently my application cannot be accessible in browser with https > > > > > version. I think it is due to vulnerability in ssl 3.0 issue. > > > > > > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL > > > > > 3.0. > > > > > > > > > > <Connector port="8080" protocol="HTTP/1.1" > > > > > connectionTimeout="20000" redirectPort="8443" /> <Connector > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009" > > > > > protocol="AJP/1.3" redirectPort="8443" /> > > > > > > > > None of the responses you have gotten thus far are useful in any way. > > > > > > > > Your configuration looks fine to me: sslEnabledProtocols is the way > to > > > > go, although in recent versions of Tomcat the default is NOT to > > > > include any "SSL" protocols and only use the "TLS" ones, so if you > are > > > > running something recent, you should be okay. > > > > > > > > > Then I can open my application https link in browser. BUT, good > > > > > time never lasts too long, after several hours, I failed to access > > > > > my https link again. > > > > > > > > What kinds of errors do you get? What do the logs say? What are the > > > > URLs you are using? > > > > > > > > > Anyone has any ideas about this? please share your suggestions...My > > > > > tomcat version is 7.0.55 > > > > > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you > > > > should definitely keep your above configuration. There is no need to > > > > add a trust store or cipher specification to that. > > > > > > > > - -chris > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: GnuPG v1 > > > > Comment: GPGTools - http://gpgtools.org > > > > > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty > > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J > > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT > > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG > > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH > > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ > > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw > > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM > > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 > > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq > > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo > > > > G5/ksEFNFSc9+yQSSC1H > > > > =PVop > > > > -----END PGP SIGNATURE----- > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > > >
