Here is what I get with openssl s_client command: Loading 'screen' into random state - done CONNECTED(000001E8) write to 0x2103650 [0x2103698] (124 bytes => 124 (0x7C)) 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../....... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................ 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@......... 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b 20 ff a2 ............+ .. 0060 - dc 75 81 67 91 ff 8a 7e-8e 37 ed ac f6 97 0e 83 .u.g...~.7...... 0070 - 66 46 8c 87 b8 1c b3 0a-7e 46 72 30 fF......~Fr0 read from 0x2103650 [0x2108bf8] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( 13756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:596:
On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah <sanaulla...@gmail.com> wrote: > then may be its not the issue of tomcat.you can check you firewall? may be > your firewall dropping the correction after some time. > > try to connect the server from localhost using " openssl s_client -connect > hostname:8443 -debug " may be you will found something use full. > > On Wed, Jan 21, 2015 at 11:43 AM, Jason Y <day...@gmail.com> wrote: > > > Got another issue...Tomcat is working fine after restart but it cannot > last > > long. > > Now I cannot access https pages with any browsers. I didn't find anything > > useful in logs. > > After a restart, it works well again. > > > > <Connector executor="tomcatThreadPool" > > port="8080" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="8443" /> > > <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > clientAuth="false" sslProtocol="TLS" > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > > keystoreFile="lib/cert/xxxx.keystore" > > keystorePass="xxxx" /> > > <!-- Define an AJP 1.3 Connector on port 8009 --> > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> > > > > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah <sanaulla...@gmail.com> > wrote: > > > > > its not necessary to have ciphers properties but if you want to > restrict > > > the ciphers then you can use this property. > > > > > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> wrote: > > > > > > > Thank you all. Now it is working fine. > > > > > > > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11Protocol" > > > > maxThreads="150" SSLEnabled="true" scheme="https" > > > > secure="true" > > > > clientAuth="false" sslProtocol="TLS" > > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > > > > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" > > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" > /> > > > > > > > > By the way, do I need "ciphers" properties here? > > > > > > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > > > > ch...@christopherschultz.net> wrote: > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > Hash: SHA256 > > > > > > > > > > Jason, > > > > > > > > > > On 1/20/15 4:17 AM, Jason Y wrote: > > > > > > Recently my application cannot be accessible in browser with > https > > > > > > version. I think it is due to vulnerability in ssl 3.0 issue. > > > > > > > > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" > > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL > > > > > > 3.0. > > > > > > > > > > > > <Connector port="8080" protocol="HTTP/1.1" > > > > > > connectionTimeout="20000" redirectPort="8443" /> <Connector > > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" > > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > > > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009" > > > > > > protocol="AJP/1.3" redirectPort="8443" /> > > > > > > > > > > None of the responses you have gotten thus far are useful in any > way. > > > > > > > > > > Your configuration looks fine to me: sslEnabledProtocols is the way > > to > > > > > go, although in recent versions of Tomcat the default is NOT to > > > > > include any "SSL" protocols and only use the "TLS" ones, so if you > > are > > > > > running something recent, you should be okay. > > > > > > > > > > > Then I can open my application https link in browser. BUT, good > > > > > > time never lasts too long, after several hours, I failed to > access > > > > > > my https link again. > > > > > > > > > > What kinds of errors do you get? What do the logs say? What are the > > > > > URLs you are using? > > > > > > > > > > > Anyone has any ideas about this? please share your > suggestions...My > > > > > > tomcat version is 7.0.55 > > > > > > > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so > you > > > > > should definitely keep your above configuration. There is no need > to > > > > > add a trust store or cipher specification to that. > > > > > > > > > > - -chris > > > > > -----BEGIN PGP SIGNATURE----- > > > > > Version: GnuPG v1 > > > > > Comment: GPGTools - http://gpgtools.org > > > > > > > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty > > > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J > > > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT > > > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG > > > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH > > > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ > > > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw > > > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM > > > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 > > > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq > > > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo > > > > > G5/ksEFNFSc9+yQSSC1H > > > > > =PVop > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > > > > > > > > >