-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jason,
On 1/20/15 8:53 PM, Jason Y wrote: > Thank you all. Now it is working fine. > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" > SSLEnabled="true" scheme="https" secure="true" clientAuth="false" > sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" > /> > > By the way, do I need "ciphers" properties here? Usually, no. Your JRE has a set of supported ciphers and a subset of those are enabled by default. Tomcat will remove a subset of ciphers known to always be a bad idea (e.g. NULL). Tomcat 8 and trunk since about 6 months ago have had support for OpenSSL-style "ciphers" definitions, where you don't have to specify the exact set of ciphers you want. Instead, you can describe those ciphers which you do and do not want, and let those filters run against the ciphers supported by the JVM. - -chris > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Jason, > > On 1/20/15 4:17 AM, Jason Y wrote: >>>> Recently my application cannot be accessible in browser with >>>> https version. I think it is due to vulnerability in ssl 3.0 >>>> issue. >>>> >>>> I checked my tomcat configuration and replaced >>>> sslProtocol="TLS" with >>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL >>>> 3.0. >>>> >>>> <Connector port="8080" protocol="HTTP/1.1" >>>> connectionTimeout="20000" redirectPort="8443" /> <Connector >>>> port="8443" >>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>> secure="true" clientAuth="false" >>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >>>> keystoreFile="xxx" keystorePass="xxx" /> <Connector >>>> port="8009" protocol="AJP/1.3" redirectPort="8443" /> > > None of the responses you have gotten thus far are useful in any > way. > > Your configuration looks fine to me: sslEnabledProtocols is the way > to go, although in recent versions of Tomcat the default is NOT to > include any "SSL" protocols and only use the "TLS" ones, so if you > are running something recent, you should be okay. > >>>> Then I can open my application https link in browser. BUT, >>>> good time never lasts too long, after several hours, I failed >>>> to access my https link again. > > What kinds of errors do you get? What do the logs say? What are > the URLs you are using? > >>>> Anyone has any ideas about this? please share your >>>> suggestions...My tomcat version is 7.0.55 > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so > you should definitely keep your above configuration. There is no > need to add a trust store or cipher specification to that. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUv74eAAoJEBzwKT+lPKRYxj8QAKyYHwuggY3NwO9HYmxPBFva kMH5c0DC8VzN+XiIaCvHr16OdwKFHKMtWyP4JI8J3PkPOhxreRhM31vz8hiK2TfE hyVOJxMAwqUSAMeuDuacSQG933ORc184iLgNbgOr15zGmfwyS5EHMFQjEO5m/HtI nJ54IWv0PPBJfYegNljd+qAai/At9iWBwmi5woO8evMaQK9WnokjcLZNAmKhKyX7 hvAbcBQFpNoPoI1dvOn/00Ke/GRu/KGVed1pikTVA8D5u75esxG6ZGf2ZX3GpbMk oSXwVxXLXY9yb6zcSxSKLdEjIO/kNFRHF6PYO7oxFtK9VH/NLpzPJWFszq53lxRt L5x03FkOqjX11tTgNedMSTKA9KrWiFhqXaa+0CPtaFfUKKaqnEIrlcN7mzrNaICo s7zpBHr19nLjMcEdbxIEWHMlWi1eA9S7yQihZIk7cilCuGQ5cwaHkSFjKcZl575D wwhuNLiRRbhXBqQeOoqEqsP4cX2IkV1SsOuCarLtQkdetDmFP/kicef125H1IIER ejFAaazbb+Ucz6/y1XuD19Q5hcKzvGxnwGo0hp1vqoq5PmZOUiG3tzX6KflfpFIt VLBrxsXWyJcsKWigixtxCIZ9oyQHB+4B17DkZjfC75a9y8rkh2e8nYpCXEBqYj4K /CrvXq2r1sQRtM7LN5vM =Luq1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org