What I changed in server.xml is adding sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1". BUT I noticed that I am using JSSE instead of APR, so I remoeved the listener <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
is this causing my error? On Wed, Jan 21, 2015 at 11:39 PM, Jason Y <day...@gmail.com> wrote: > You mean here maxThreads="150"? > > But is no respective log message for this. And, I didn't find much request > to the service. Currently there are no changed settings(firewall/network, > etc.). > > On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner < > jeffrey.jan...@polydyne.com> wrote: > >> > -----Original Message----- >> > From: Jason Y [mailto:day...@gmail.com] >> > Sent: Wednesday, January 21, 2015 12:44 AM >> > To: Tomcat Users List >> > Subject: Re: SSL issue in tomcat >> > >> > Got another issue...Tomcat is working fine after restart but it cannot >> > last >> > long. >> > Now I cannot access https pages with any browsers. I didn't find >> > anything >> > useful in logs. >> > After a restart, it works well again. >> > >> > <Connector executor="tomcatThreadPool" >> > port="8080" protocol="HTTP/1.1" >> > connectionTimeout="20000" >> > redirectPort="8443" /> >> > <Connector port="8443" >> > protocol="org.apache.coyote.http11.Http11Protocol" >> > maxThreads="150" SSLEnabled="true" scheme="https" >> > secure="true" >> > clientAuth="false" sslProtocol="TLS" >> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >> > keystoreFile="lib/cert/xxxx.keystore" >> > keystorePass="xxxx" /> >> > <!-- Define an AJP 1.3 Connector on port 8009 --> >> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> >> > >> >> Just a thought, but since it works for a while and then stops responding, >> could it be that the OP is running out of processing threads, i.e. a thread >> or connection pool leak? >> >> >> > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah <sanaulla...@gmail.com> >> > wrote: >> > >> > > its not necessary to have ciphers properties but if you want to >> > restrict >> > > the ciphers then you can use this property. >> > > >> > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> wrote: >> > > >> > > > Thank you all. Now it is working fine. >> > > > >> > > > <Connector port="8443" >> > protocol="org.apache.coyote.http11.Http11Protocol" >> > > > maxThreads="150" SSLEnabled="true" scheme="https" >> > > > secure="true" >> > > > clientAuth="false" sslProtocol="TLS" >> > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >> > > > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" >> > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, >> > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" >> > /> >> > > > >> > > > By the way, do I need "ciphers" properties here? >> > > > >> > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < >> > > > ch...@christopherschultz.net> wrote: >> > > > >> > > > > -----BEGIN PGP SIGNED MESSAGE----- >> > > > > Hash: SHA256 >> > > > > >> > > > > Jason, >> > > > > >> > > > > On 1/20/15 4:17 AM, Jason Y wrote: >> > > > > > Recently my application cannot be accessible in browser with >> > https >> > > > > > version. I think it is due to vulnerability in ssl 3.0 issue. >> > > > > > >> > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS" >> > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL >> > > > > > 3.0. >> > > > > > >> > > > > > <Connector port="8080" protocol="HTTP/1.1" >> > > > > > connectionTimeout="20000" redirectPort="8443" /> <Connector >> > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol" >> > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >> > > > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009" >> > > > > > protocol="AJP/1.3" redirectPort="8443" /> >> > > > > >> > > > > None of the responses you have gotten thus far are useful in any >> > way. >> > > > > >> > > > > Your configuration looks fine to me: sslEnabledProtocols is the >> > way to >> > > > > go, although in recent versions of Tomcat the default is NOT to >> > > > > include any "SSL" protocols and only use the "TLS" ones, so if you >> > are >> > > > > running something recent, you should be okay. >> > > > > >> > > > > > Then I can open my application https link in browser. BUT, good >> > > > > > time never lasts too long, after several hours, I failed to >> > access >> > > > > > my https link again. >> > > > > >> > > > > What kinds of errors do you get? What do the logs say? What are >> > the >> > > > > URLs you are using? >> > > > > >> > > > > > Anyone has any ideas about this? please share your >> > suggestions...My >> > > > > > tomcat version is 7.0.55 >> > > > > >> > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so >> > you >> > > > > should definitely keep your above configuration. There is no need >> > to >> > > > > add a trust store or cipher specification to that. >> > > > > >> > > > > - -chris >> > > > > -----BEGIN PGP SIGNATURE----- >> > > > > Version: GnuPG v1 >> > > > > Comment: GPGTools - http://gpgtools.org >> > > > > >> > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty >> > > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J >> > > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT >> > > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG >> > > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH >> > > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ >> > > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw >> > > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM >> > > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 >> > > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq >> > > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo >> > > > > G5/ksEFNFSc9+yQSSC1H >> > > > > =PVop >> > > > > -----END PGP SIGNATURE----- >> > > > > >> > > > > ------------------------------------------------------------------ >> > --- >> > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> > > > > For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > >> > > > > >> > > > >> > > >> > >
