As Charles said, move up to 6.0.20 and switch to the NIO connector. If you have to stay with 5.5.23, you'll need to go with the ARP SSL connector.
(slap me if I'm still wrong Charles, but I checked the doc and there doesn't appear to be support for NIO in 5.5.x) Jeff -----Original Message----- From: Steve G. Johnson [mailto:[email protected]] Sent: Tuesday, January 19, 2010 10:24 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability Hi Charles, FYI: This is in my listener list: <Listener className="org.apache.catalina.core.AprLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> Added the "protocol" entry and now trying to start Tomcat manager results in "page cannot be displayed". Removing entry it starts. Added as follows: <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" protocol="org.apache.coyote.http11.Http11NioProtocol" keystoreFile="xxx" keystorePass="xxx" keystoreType="PKCS12" /> Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. "Caldarale, Charles R" <Chuck.Caldarale@ To unisys.com> Tomcat Users List <[email protected]> 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability "Tomcat Users List" <[email protected] che.org> Caterpillar: Confidential Green Retain Until: 02/18/2010 > From: Steve G. Johnson [mailto:[email protected]] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP <Connector> alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] ******************************* NOTICE ********************************* This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
