-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jason,

On 1/20/15 8:53 PM, Jason Y wrote:
> Thank you all. Now it is working fine.
> 
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
> keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" 
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
> />
> 
> By the way, do I need "ciphers" properties here?

Usually, no. Your JRE has a set of supported ciphers and a subset of
those are enabled by default. Tomcat will remove a subset of ciphers
known to always be a bad idea (e.g. NULL).

Tomcat 8 and trunk since about 6 months ago have had support for
OpenSSL-style "ciphers" definitions, where you don't have to specify
the exact set of ciphers you want. Instead, you can describe those
ciphers which you do and do not want, and let those filters run
against the ciphers supported by the JVM.

- -chris

> 
> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Jason,
> 
> On 1/20/15 4:17 AM, Jason Y wrote:
>>>> Recently my application cannot be accessible in browser with
>>>> https version. I think it is due to vulnerability in ssl 3.0
>>>> issue.
>>>> 
>>>> I checked my tomcat configuration and replaced
>>>> sslProtocol="TLS" with
>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 
>>>> 3.0.
>>>> 
>>>> <Connector port="8080" protocol="HTTP/1.1" 
>>>> connectionTimeout="20000" redirectPort="8443" /> <Connector 
>>>> port="8443"
>>>> protocol="org.apache.coyote.http11.Http11Protocol" 
>>>> maxThreads="150" SSLEnabled="true" scheme="https"
>>>> secure="true" clientAuth="false"
>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
>>>> keystoreFile="xxx" keystorePass="xxx" /> <Connector
>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
> 
> None of the responses you have gotten thus far are useful in any
> way.
> 
> Your configuration looks fine to me: sslEnabledProtocols is the way
> to go, although in recent versions of Tomcat the default is NOT to 
> include any "SSL" protocols and only use the "TLS" ones, so if you
> are running something recent, you should be okay.
> 
>>>> Then I can open my application https link in browser. BUT,
>>>> good time never lasts too long, after several hours, I failed
>>>> to access my https link again.
> 
> What kinds of errors do you get? What do the logs say? What are
> the URLs you are using?
> 
>>>> Anyone has any ideas about this? please share your
>>>> suggestions...My tomcat version is 7.0.55
> 
> Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
> you should definitely keep your above configuration. There is no
> need to add a trust store or cipher specification to that.
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUv74eAAoJEBzwKT+lPKRYxj8QAKyYHwuggY3NwO9HYmxPBFva
kMH5c0DC8VzN+XiIaCvHr16OdwKFHKMtWyP4JI8J3PkPOhxreRhM31vz8hiK2TfE
hyVOJxMAwqUSAMeuDuacSQG933ORc184iLgNbgOr15zGmfwyS5EHMFQjEO5m/HtI
nJ54IWv0PPBJfYegNljd+qAai/At9iWBwmi5woO8evMaQK9WnokjcLZNAmKhKyX7
hvAbcBQFpNoPoI1dvOn/00Ke/GRu/KGVed1pikTVA8D5u75esxG6ZGf2ZX3GpbMk
oSXwVxXLXY9yb6zcSxSKLdEjIO/kNFRHF6PYO7oxFtK9VH/NLpzPJWFszq53lxRt
L5x03FkOqjX11tTgNedMSTKA9KrWiFhqXaa+0CPtaFfUKKaqnEIrlcN7mzrNaICo
s7zpBHr19nLjMcEdbxIEWHMlWi1eA9S7yQihZIk7cilCuGQ5cwaHkSFjKcZl575D
wwhuNLiRRbhXBqQeOoqEqsP4cX2IkV1SsOuCarLtQkdetDmFP/kicef125H1IIER
ejFAaazbb+Ucz6/y1XuD19Q5hcKzvGxnwGo0hp1vqoq5PmZOUiG3tzX6KflfpFIt
VLBrxsXWyJcsKWigixtxCIZ9oyQHB+4B17DkZjfC75a9y8rkh2e8nYpCXEBqYj4K
/CrvXq2r1sQRtM7LN5vM
=Luq1
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to