tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject RE: SSL issue in tomcat
Date Wed, 21 Jan 2015 15:28:57 GMT
> -----Original Message-----
> From: Jason Y [mailto:daybug@gmail.com]
> Sent: Wednesday, January 21, 2015 12:44 AM
> To: Tomcat Users List
> Subject: Re: SSL issue in tomcat
> 
> Got another issue...Tomcat is working fine after restart but it cannot
> last
> long.
> Now I cannot access https pages with any browsers. I didn't find
> anything
> useful in logs.
> After a restart, it works well again.
> 
> <Connector executor="tomcatThreadPool"
>                port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
>                maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>                clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> keystoreFile="lib/cert/xxxx.keystore"
> keystorePass="xxxx" />
> <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> 

Just a thought, but since it works for a while and then stops responding, could it be that
the OP is running out of processing threads, i.e. a thread or connection pool leak?


> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah <sanaullah82@gmail.com>
> wrote:
> 
> > its not necessary to have ciphers properties but if you want to
> restrict
> > the ciphers then you can use this property.
> >
> > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <daybug@gmail.com> wrote:
> >
> > > Thank you all. Now it is working fine.
> > >
> > > <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> > >                maxThreads="150" SSLEnabled="true" scheme="https"
> > > secure="true"
> > >                clientAuth="false" sslProtocol="TLS"
> > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > > keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx"
> > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
> />
> > >
> > > By the way, do I need "ciphers" properties here?
> > >
> > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > > chris@christopherschultz.net> wrote:
> > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA256
> > > >
> > > > Jason,
> > > >
> > > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > > Recently my application cannot be accessible in browser with
> https
> > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > > >
> > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > > 3.0.
> > > > >
> > > > > <Connector port="8080" protocol="HTTP/1.1"
> > > > > connectionTimeout="20000" redirectPort="8443" /> <Connector
> > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > > keystoreFile="xxx" keystorePass="xxx" /> <Connector port="8009"
> > > > > protocol="AJP/1.3" redirectPort="8443" />
> > > >
> > > > None of the responses you have gotten thus far are useful in any
> way.
> > > >
> > > > Your configuration looks fine to me: sslEnabledProtocols is the
> way to
> > > > go, although in recent versions of Tomcat the default is NOT to
> > > > include any "SSL" protocols and only use the "TLS" ones, so if you
> are
> > > > running something recent, you should be okay.
> > > >
> > > > > Then I can open my application https link in browser. BUT, good
> > > > > time never lasts too long, after several hours, I failed to
> access
> > > > > my https link again.
> > > >
> > > > What kinds of errors do you get? What do the logs say? What are
> the
> > > > URLs you are using?
> > > >
> > > > > Anyone has any ideas about this? please share your
> suggestions...My
> > > > > tomcat version is 7.0.55
> > > >
> > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
> you
> > > > should definitely keep your above configuration. There is no need
> to
> > > > add a trust store or cipher specification to that.
> > > >
> > > > - -chris
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1
> > > > Comment: GPGTools - http://gpgtools.org
> > > >
> > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> > > > G5/ksEFNFSc9+yQSSC1H
> > > > =PVop
> > > > -----END PGP SIGNATURE-----
> > > >
> > > > ------------------------------------------------------------------
> ---
> > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > >
> > > >
> > >
> >
Mime
View raw message