What I changed in server.xml is adding
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1".
BUT I noticed that I am using JSSE instead of APR, so I remoeved the
listener <Listener
className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

is this causing my error?

On Wed, Jan 21, 2015 at 11:39 PM, Jason Y <day...@gmail.com> wrote:

> You mean here maxThreads="150"?
>
> But is no respective log message for this. And, I didn't find much request
> to the service. Currently there are no changed settings(firewall/network,
> etc.).
>
> On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner <
> jeffrey.jan...@polydyne.com> wrote:
>
>> > -----Original Message-----
>> > From: Jason Y [mailto:day...@gmail.com]
>> > Sent: Wednesday, January 21, 2015 12:44 AM
>> > To: Tomcat Users List
>> > Subject: Re: SSL issue in tomcat
>> >
>> > Got another issue...Tomcat is working fine after restart but it cannot
>> > last
>> > long.
>> > Now I cannot access https pages with any browsers. I didn't find
>> > anything
>> > useful in logs.
>> > After a restart, it works well again.
>> >
>> > <Connector executor="tomcatThreadPool"
>> >                port="8080" protocol="HTTP/1.1"
>> >                connectionTimeout="20000"
>> >                redirectPort="8443" />
>> > <Connector port="8443"
>> > protocol="org.apache.coyote.http11.Http11Protocol"
>> >                maxThreads="150" SSLEnabled="true" scheme="https"
>> > secure="true"
>> >                clientAuth="false" sslProtocol="TLS"
>> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>> > keystoreFile="lib/cert/xxxx.keystore"
>> > keystorePass="xxxx" />
>> > <!-- Define an AJP 1.3 Connector on port 8009 -->
>> >     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>> >
>>
>> Just a thought, but since it works for a while and then stops responding,
>> could it be that the OP is running out of processing threads, i.e. a thread
>> or connection pool leak?
>>
>>
>> > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah <sanaulla...@gmail.com>
>> > wrote:
>> >
>> > > its not necessary to have ciphers properties but if you want to
>> > restrict
>> > > the ciphers then you can use this property.
>> > >
>> > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> wrote:
>> > >
>> > > > Thank you all. Now it is working fine.
>> > > >
>> > > > <Connector port="8443"
>> > protocol="org.apache.coyote.http11.Http11Protocol"
>> > > >                maxThreads="150" SSLEnabled="true" scheme="https"
>> > > > secure="true"
>> > > >                clientAuth="false" sslProtocol="TLS"
>> > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>> > > > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx"
>> > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
>> > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
>> > />
>> > > >
>> > > > By the way, do I need "ciphers" properties here?
>> > > >
>> > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
>> > > > ch...@christopherschultz.net> wrote:
>> > > >
>> > > > > -----BEGIN PGP SIGNED MESSAGE-----
>> > > > > Hash: SHA256
>> > > > >
>> > > > > Jason,
>> > > > >
>> > > > > On 1/20/15 4:17 AM, Jason Y wrote:
>> > > > > > Recently my application cannot be accessible in browser with
>> > https
>> > > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
>> > > > > >
>> > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
>> > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
>> > > > > > 3.0.
>> > > > > >
>> > > > > > <Connector port="8080" protocol="HTTP/1.1"
>> > > > > > connectionTimeout="20000" redirectPort="8443" /> <Connector
>> > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
>> > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>> > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>> > > > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009"
>> > > > > > protocol="AJP/1.3" redirectPort="8443" />
>> > > > >
>> > > > > None of the responses you have gotten thus far are useful in any
>> > way.
>> > > > >
>> > > > > Your configuration looks fine to me: sslEnabledProtocols is the
>> > way to
>> > > > > go, although in recent versions of Tomcat the default is NOT to
>> > > > > include any "SSL" protocols and only use the "TLS" ones, so if you
>> > are
>> > > > > running something recent, you should be okay.
>> > > > >
>> > > > > > Then I can open my application https link in browser. BUT, good
>> > > > > > time never lasts too long, after several hours, I failed to
>> > access
>> > > > > > my https link again.
>> > > > >
>> > > > > What kinds of errors do you get? What do the logs say? What are
>> > the
>> > > > > URLs you are using?
>> > > > >
>> > > > > > Anyone has any ideas about this? please share your
>> > suggestions...My
>> > > > > > tomcat version is 7.0.55
>> > > > >
>> > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
>> > you
>> > > > > should definitely keep your above configuration. There is no need
>> > to
>> > > > > add a trust store or cipher specification to that.
>> > > > >
>> > > > > - -chris
>> > > > > -----BEGIN PGP SIGNATURE-----
>> > > > > Version: GnuPG v1
>> > > > > Comment: GPGTools - http://gpgtools.org
>> > > > >
>> > > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
>> > > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
>> > > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
>> > > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
>> > > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
>> > > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
>> > > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
>> > > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
>> > > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
>> > > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
>> > > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
>> > > > > G5/ksEFNFSc9+yQSSC1H
>> > > > > =PVop
>> > > > > -----END PGP SIGNATURE-----
>> > > > >
>> > > > > ------------------------------------------------------------------
>> > ---
>> > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > > > > For additional commands, e-mail: users-h...@tomcat.apache.org
>> > > > >
>> > > > >
>> > > >
>> > >
>>
>
>

Reply via email to