Thank you Chris for your reply. I think I was mislead by this error. My services--both REST and SOAP--are hosted by tomcat and used by downstream users with HTTPS. They are running well for long time until some day one of downstream developers reported that the WSDL URL cannot be accessible by his browsers and his code either.
At first I thought it was due to openSSL HeartBleed issue <https://wiki.apache.org/tomcat/Security/Heartbleed> or POODLE issue <http://wiki.apache.org/tomcat/Security/POODLE>. So I made respective changes to server.xml and then restarted my service. I added highlighted part as below: *<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx" keystorePass="xxx" />* It ran well after the restart, but last not for long. Soon, the developer reported that he could not access the service again. It was NOT fixed and I am so confused. Yesterday, I was thinking why and how the user couldn't access the service? Why not test it by myself? So I rolled back all my changes and wrote code to call the service via REST and WSDL and both were running OK!(Still I cannot open WSDL URL in my browsers, I think it is SSL issue.) Also, there is never a production user reporting this issue. So I think it might be something wrong with the developer's code(it is .NET code on which I have 0 knowledge), I will keep on watching this. On Thu, Jan 22, 2015 at 11:01 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > ason, > > On 1/22/15 1:26 AM, Jason Y wrote: > > What I changed in server.xml is adding > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1". > > If you want to be able to handle SSL handshakes (and not just TLS ones > like some older clients might require), you'll need to enable > SSLv2hello along with all the TLS versions you have specified above. > > > BUT I noticed that I am using JSSE instead of APR, so I remoeved > > the listener <Listener > > className="org.apache.catalina.core.AprLifecycleListener" > > SSLEngine="on" /> > > > > is this causing my error? > > No. Using the AprLifecycleListener won't hurt anything; you'll just > get a warning on startup that the native library isn't available. > > I'm not quite convinced this is an SSL problem, since most clients can > handle a TLS handshake these days. > > Back to the original problem: how long does your application work > before it "doesn't". When it "doesn't work", what happens when you try > to connect? Long timeout? Immediate connection refusal? Failed handshake? > > You need to provide more information. Can you summarize the problem > again and give specifics? > > - -chris > > > On Wed, Jan 21, 2015 at 11:39 PM, Jason Y <day...@gmail.com> > > wrote: > > > >> You mean here maxThreads="150"? > >> > >> But is no respective log message for this. And, I didn't find > >> much request to the service. Currently there are no changed > >> settings(firewall/network, etc.). > >> > >> On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner < > >> jeffrey.jan...@polydyne.com> wrote: > >> > >>>> -----Original Message----- From: Jason Y > >>>> [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 > >>>> 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in > >>>> tomcat > >>>> > >>>> Got another issue...Tomcat is working fine after restart but > >>>> it cannot last long. Now I cannot access https pages with any > >>>> browsers. I didn't find anything useful in logs. After a > >>>> restart, it works well again. > >>>> > >>>> <Connector executor="tomcatThreadPool" port="8080" > >>>> protocol="HTTP/1.1" connectionTimeout="20000" > >>>> redirectPort="8443" /> <Connector port="8443" > >>>> protocol="org.apache.coyote.http11.Http11Protocol" > >>>> maxThreads="150" SSLEnabled="true" scheme="https" > >>>> secure="true" clientAuth="false" sslProtocol="TLS" > >>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > >>>> keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" /> > >>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector > >>>> port="8009" protocol="AJP/1.3" redirectPort="8443" /> > >>>> > >>> > >>> Just a thought, but since it works for a while and then stops > >>> responding, could it be that the OP is running out of > >>> processing threads, i.e. a thread or connection pool leak? > >>> > >>> > >>>> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah > >>>> <sanaulla...@gmail.com> wrote: > >>>> > >>>>> its not necessary to have ciphers properties but if you > >>>>> want to > >>>> restrict > >>>>> the ciphers then you can use this property. > >>>>> > >>>>> On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> > >>>>> wrote: > >>>>> > >>>>>> Thank you all. Now it is working fine. > >>>>>> > >>>>>> <Connector port="8443" > >>>> protocol="org.apache.coyote.http11.Http11Protocol" > >>>>>> maxThreads="150" SSLEnabled="true" scheme="https" > >>>>>> secure="true" clientAuth="false" sslProtocol="TLS" > >>>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > >>>>>> keystoreFile="lib/cert/xxxx.keystore" > >>>>>> keystorePass="xxxx" > >>>>>> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > >>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > >>>>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA" > >>>> /> > >>>>>> > >>>>>> By the way, do I need "ciphers" properties here? > >>>>>> > >>>>>> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < > >>>>>> ch...@christopherschultz.net> wrote: > >>>>>> > > Jason, > > > > On 1/20/15 4:17 AM, Jason Y wrote: > >>>>>>>>> Recently my application cannot be accessible in > >>>>>>>>> browser with > >>>>> https > >>>>>>>>> version. I think it is due to vulnerability in ssl > >>>>>>>>> 3.0 issue. > >>>>>>>>> > >>>>>>>>> I checked my tomcat configuration and replaced > >>>>>>>>> sslProtocol="TLS" with > >>>>>>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to > >>>>>>>>> disable SSL 3.0. > >>>>>>>>> > >>>>>>>>> <Connector port="8080" protocol="HTTP/1.1" > >>>>>>>>> connectionTimeout="20000" redirectPort="8443" /> > >>>>>>>>> <Connector port="8443" > >>>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" > >>>>>>>>> maxThreads="150" SSLEnabled="true" scheme="https" > >>>>>>>>> secure="true" clientAuth="false" > >>>>>>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > >>>>>>>>> keystoreFile="xxx" keystorePass="xxx" /> <Connector > >>>>>>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" > >>>>>>>>> /> > > > > None of the responses you have gotten thus far are useful in any > >>>>> way. > > > > Your configuration looks fine to me: sslEnabledProtocols is the > >>>>> way to > > go, although in recent versions of Tomcat the default is NOT to > > include any "SSL" protocols and only use the "TLS" ones, so if you > >>>>> are > > running something recent, you should be okay. > > > >>>>>>>>> Then I can open my application https link in > >>>>>>>>> browser. BUT, good time never lasts too long, after > >>>>>>>>> several hours, I failed to > >>>>> access > >>>>>>>>> my https link again. > > > > What kinds of errors do you get? What do the logs say? What are > >>>>> the > > URLs you are using? > > > >>>>>>>>> Anyone has any ideas about this? please share your > >>>>> suggestions...My > >>>>>>>>> tomcat version is 7.0.55 > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so > >>>>> you > > should definitely keep your above configuration. There is no need > >>>>> to > > add a trust store or cipher specification to that. > > > > -chris > >>>>>>> > >>>>>>> ------------------------------------------------------------------ > >>>> > >>>>>>> > - --- > >>>>>>> To unsubscribe, e-mail: > >>>>>>> users-unsubscr...@tomcat.apache.org For additional > >>>>>>> commands, e-mail: users-h...@tomcat.apache.org > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>> > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUwRDRAAoJEBzwKT+lPKRYAcMQAILs4kuFQfiuvWLjp74ZCnor > IDKbFBQBoRMpEEGQQtgzgmxr9DktfpQGWWyEQH6q4C6Hg9RUP1d8VC7fvYvbEHXa > t9C9nkk13i+hNzHZ+X2lT33b1+YWY5M1v5EXMDBimbqOoDzk75W/kIQaqsXyPeFD > a8KFwy9ZOlG1yM8fCcA6xgxwQBdTUuqmYWkFQD/ZQo9NE1fUXYojnarqK/Q+bmh3 > j7Kf3A2Ku1wnhyj7RKxmQb54aTev9CCPSf+CqCUr9D9wIPhWn0UabOD6028UtX4Q > HBDS4JX0tMEK/xHL6AKKLwaaTZWcE+YjnlXKPItwArZt/efRILKFgW7+uwE4aov+ > R5mESDDBXepXYsKuGYaravKPEJSOyYU37Iw4TS2Uykk0VZR5j1SvGxA1ninX5+bw > 0hDp5i1++kJbTj35entHCDaRastoxlRbEGCWW/bnBiP7pbO6xpbEhV2Lz+vpdfa6 > 9fWa+lKPswPPQnG0fjnQp0bZzhKigrngxLhber9TKS1OlQkJlBRK9accKg7s66Rq > rbFMkrM9Lf9/lz9JE5URqIYlFJ1fjxjM76QHWqtm7xyUNjd/ThV2bSpitsasICJb > Tp6lSD0KonYvXKND/j1z6+4anfB4JEcrBnJclZyhJS/AOFg0Yj9bboYthyEA6tJX > OzeF9UVwet2vqt/VyFbD > =jPW7 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
