-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ason,
On 1/22/15 1:26 AM, Jason Y wrote: > What I changed in server.xml is adding > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1". If you want to be able to handle SSL handshakes (and not just TLS ones like some older clients might require), you'll need to enable SSLv2hello along with all the TLS versions you have specified above. > BUT I noticed that I am using JSSE instead of APR, so I remoeved > the listener <Listener > className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> > > is this causing my error? No. Using the AprLifecycleListener won't hurt anything; you'll just get a warning on startup that the native library isn't available. I'm not quite convinced this is an SSL problem, since most clients can handle a TLS handshake these days. Back to the original problem: how long does your application work before it "doesn't". When it "doesn't work", what happens when you try to connect? Long timeout? Immediate connection refusal? Failed handshake? You need to provide more information. Can you summarize the problem again and give specifics? - -chris > On Wed, Jan 21, 2015 at 11:39 PM, Jason Y <day...@gmail.com> > wrote: > >> You mean here maxThreads="150"? >> >> But is no respective log message for this. And, I didn't find >> much request to the service. Currently there are no changed >> settings(firewall/network, etc.). >> >> On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner < >> jeffrey.jan...@polydyne.com> wrote: >> >>>> -----Original Message----- From: Jason Y >>>> [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 >>>> 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in >>>> tomcat >>>> >>>> Got another issue...Tomcat is working fine after restart but >>>> it cannot last long. Now I cannot access https pages with any >>>> browsers. I didn't find anything useful in logs. After a >>>> restart, it works well again. >>>> >>>> <Connector executor="tomcatThreadPool" port="8080" >>>> protocol="HTTP/1.1" connectionTimeout="20000" >>>> redirectPort="8443" /> <Connector port="8443" >>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>> secure="true" clientAuth="false" sslProtocol="TLS" >>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >>>> keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" /> >>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector >>>> port="8009" protocol="AJP/1.3" redirectPort="8443" /> >>>> >>> >>> Just a thought, but since it works for a while and then stops >>> responding, could it be that the OP is running out of >>> processing threads, i.e. a thread or connection pool leak? >>> >>> >>>> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah >>>> <sanaulla...@gmail.com> wrote: >>>> >>>>> its not necessary to have ciphers properties but if you >>>>> want to >>>> restrict >>>>> the ciphers then you can use this property. >>>>> >>>>> On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> >>>>> wrote: >>>>> >>>>>> Thank you all. Now it is working fine. >>>>>> >>>>>> <Connector port="8443" >>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>>>> secure="true" clientAuth="false" sslProtocol="TLS" >>>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >>>>>> keystoreFile="lib/cert/xxxx.keystore" >>>>>> keystorePass="xxxx" >>>>>> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, >>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >>>>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA" >>>> /> >>>>>> >>>>>> By the way, do I need "ciphers" properties here? >>>>>> >>>>>> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < >>>>>> ch...@christopherschultz.net> wrote: >>>>>> > Jason, > > On 1/20/15 4:17 AM, Jason Y wrote: >>>>>>>>> Recently my application cannot be accessible in >>>>>>>>> browser with >>>>> https >>>>>>>>> version. I think it is due to vulnerability in ssl >>>>>>>>> 3.0 issue. >>>>>>>>> >>>>>>>>> I checked my tomcat configuration and replaced >>>>>>>>> sslProtocol="TLS" with >>>>>>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to >>>>>>>>> disable SSL 3.0. >>>>>>>>> >>>>>>>>> <Connector port="8080" protocol="HTTP/1.1" >>>>>>>>> connectionTimeout="20000" redirectPort="8443" /> >>>>>>>>> <Connector port="8443" >>>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>>>>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>>>>>>> secure="true" clientAuth="false" >>>>>>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >>>>>>>>> keystoreFile="xxx" keystorePass="xxx" /> <Connector >>>>>>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" >>>>>>>>> /> > > None of the responses you have gotten thus far are useful in any >>>>> way. > > Your configuration looks fine to me: sslEnabledProtocols is the >>>>> way to > go, although in recent versions of Tomcat the default is NOT to > include any "SSL" protocols and only use the "TLS" ones, so if you >>>>> are > running something recent, you should be okay. > >>>>>>>>> Then I can open my application https link in >>>>>>>>> browser. BUT, good time never lasts too long, after >>>>>>>>> several hours, I failed to >>>>> access >>>>>>>>> my https link again. > > What kinds of errors do you get? What do the logs say? What are >>>>> the > URLs you are using? > >>>>>>>>> Anyone has any ideas about this? please share your >>>>> suggestions...My >>>>>>>>> tomcat version is 7.0.55 > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so >>>>> you > should definitely keep your above configuration. There is no need >>>>> to > add a trust store or cipher specification to that. > > -chris >>>>>>> >>>>>>> ------------------------------------------------------------------ >>>> >>>>>>> - --- >>>>>>> To unsubscribe, e-mail: >>>>>>> users-unsubscr...@tomcat.apache.org For additional >>>>>>> commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>>> >>>>>> >>>>> >>> >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUwRDRAAoJEBzwKT+lPKRYAcMQAILs4kuFQfiuvWLjp74ZCnor IDKbFBQBoRMpEEGQQtgzgmxr9DktfpQGWWyEQH6q4C6Hg9RUP1d8VC7fvYvbEHXa t9C9nkk13i+hNzHZ+X2lT33b1+YWY5M1v5EXMDBimbqOoDzk75W/kIQaqsXyPeFD a8KFwy9ZOlG1yM8fCcA6xgxwQBdTUuqmYWkFQD/ZQo9NE1fUXYojnarqK/Q+bmh3 j7Kf3A2Ku1wnhyj7RKxmQb54aTev9CCPSf+CqCUr9D9wIPhWn0UabOD6028UtX4Q HBDS4JX0tMEK/xHL6AKKLwaaTZWcE+YjnlXKPItwArZt/efRILKFgW7+uwE4aov+ R5mESDDBXepXYsKuGYaravKPEJSOyYU37Iw4TS2Uykk0VZR5j1SvGxA1ninX5+bw 0hDp5i1++kJbTj35entHCDaRastoxlRbEGCWW/bnBiP7pbO6xpbEhV2Lz+vpdfa6 9fWa+lKPswPPQnG0fjnQp0bZzhKigrngxLhber9TKS1OlQkJlBRK9accKg7s66Rq rbFMkrM9Lf9/lz9JE5URqIYlFJ1fjxjM76QHWqtm7xyUNjd/ThV2bSpitsasICJb Tp6lSD0KonYvXKND/j1z6+4anfB4JEcrBnJclZyhJS/AOFg0Yj9bboYthyEA6tJX OzeF9UVwet2vqt/VyFbD =jPW7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
