Re: SSL issue in tomcat
Thanks for your reply, Chris. I am providing solr search service on Linux server. My java version is 1.7_67(64bit) and tomcat version is 7.0.55 and tomcat Connector is: Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=500 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/path/**.keystore keystorePass=password / In my service I provide both REST and WSDL servie to call solr search by https. Everything worked well until one day(about in Nov, 2014) we found we could not open wsdl URL in any browsers while our clients' codes that calls solr search are always working fine. In the coming days, two clients' developers(.NET) raised some tickets complaining that they could not call solr service on their local machines(while their code on PROD running well and never failed). They said they could not even load wsdl in Visual Studio. At this time I realized that I should test it by myself so I tested(with java code) to call the service both by REST and by WSDL, and both worked fine. *My code to call WSDL is:* System.setProperty(javax.net.ssl.trustStore, certificationPath); Service service = new Service(); port = service.getPort(); // start add soap header Binding binding = ((BindingProvider) port).getBinding(); ListHandler handlerList = binding.getHandlerChain(); if (handlerList == null) handlerList = new ArrayListHandler(); handlerList.add(new SecurityHandler(username, password)); binding.setHandlerChain(handlerList); String query = q=Id:123456; long offset = 0; long limit = 100; HolderLong numFound = new HolderLong(); HolderLong start = new HolderLong(); HolderListSolrDocument doc=new HolderListSolrDocument(); port.search(query,offset,limit,numFound,start,doc); System.out.println(doc.value.size()); *My code to call REST service is:* SolrQuery query = new SolrQuery(); query.setQuery(*:*); System.setProperty(javax.net.ssl.trustStore, certificationPath); HttpSolrServer server = new HttpSolrServer( https://server_ip:8443/solr/solr_test;); query.setHighlight(true).setStart(1); query.setRows(15); ModifiableSolrParams paramsDemo = new ModifiableSolrParams(); paramsDemo.add(wt, json); paramsDemo.add(indent, true); paramsDemo.add(q, Id:123456); query.add(paramsDemo); QueryResponse queryResponse = server.query(query); Then I tried to disable SSL 3.0 on server by adding sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to the Connector in server.xml. After a restart, my service was running OK and my test code running OK and https wsdl URLs OK to open in browsers. But, about one hour later, all above test failed. *Error message when calling wsdl:* Exception in thread main javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://server_ip:8443/solr_test_name?wsdl. It failed with: Received fatal alert: handshake_failure. at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:151) at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133) at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:254) at com.sun.xml.internal.ws.client.WSServiceDelegate.init(WSServiceDelegate.java:217) at com.sun.xml.internal.ws.client.WSServiceDelegate.init(WSServiceDelegate.java:165) at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:93) at javax.xml.ws.Service.init(Service.java:56) at com..webservice.Service.init(Service.java:42) at com..client.Test.main(Test.java:30) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure *Error message then calling REST:* IOException occured when talking to server at: [MY_REST_SERVICE_ADDRESS] *Error message when trying to open WSDL URL in browser:* SSL connection errorUnable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR My question is, after adding sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to the *Connector *in server.xml, is there anything else that I need to do? Such as: i) on server side JDK settings with -D =; ii) on client side with System.setProperties(,)? iii) or anything else?
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
Hi Jammy, Please refer to https://access.redhat.com/solutions/1232233 When using Tomcat with the JSSE connectors, the SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml. The following example shows how the sslProtocol in an https connector is configured. Tomcat 5 and 6 (prior to 6.0.38) Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / Tomcat 6 (6.0.38 and later) and 7 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols = TLSv1,TLSv1.1,TLSv1.2 / If the sslEnabledProtocols or sslProtocols attributes are specified, only protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance e.g. Oracle Java 6 and Oracle Java 7. By the way, why would you disable SSL? What is your current problem? I may have the same problem with tomcat 7.0.55... On Fri, Jan 30, 2015 at 2:44 PM, Terence M. Bandoian tere...@tmbsw.com wrote: On 1/29/2015 10:02 AM, Jammy Chen wrote: Hello Chuck, Thanks for replying, I understood this is old, our product has already upgraded to latest version, but somehow, some of our users are still in such old stage, they do not plan uptake now but they want disable SSL V3 as everybody know this is big security vulnerability. *so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0? I cannot find the solution* Jammy 2015-01-29 22:00 GMT+08:00 Caldarale, Charles R chuck.caldar...@unisys.com : From: Jammy Chen [mailto:jamm...@gmail.com] Subject: How-to disable SSL V3 on Tomcat 6.0.18.0 Do everybody knows how-to disable SSL v3 in older tomcat version Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Yes - move up to a current level and read the docs. Seriously, if you're using a Tomcat of that vintage (this one is more than 6.5 years old), you have a lot more security issues to worry about than SSLv3. It's irresponsible not to upgrade. OS Name:Windows 2003 A few months from end-of-life. JVM Version:1.6.0-b105 Two years past end-of-life. Is there a pattern here? - Chuck Hi, Jammy- I'd suggest downloading Tomcat 6.0.18 which includes the then-current documentation. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Thank you Chris for your reply. I think I was mislead by this error. My services--both REST and SOAP--are hosted by tomcat and used by downstream users with HTTPS. They are running well for long time until some day one of downstream developers reported that the WSDL URL cannot be accessible by his browsers and his code either. At first I thought it was due to openSSL HeartBleed issue https://wiki.apache.org/tomcat/Security/Heartbleed or POODLE issue http://wiki.apache.org/tomcat/Security/POODLE. So I made respective changes to server.xml and then restarted my service. I added highlighted part as below: *Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx /* It ran well after the restart, but last not for long. Soon, the developer reported that he could not access the service again. It was NOT fixed and I am so confused. Yesterday, I was thinking why and how the user couldn't access the service? Why not test it by myself? So I rolled back all my changes and wrote code to call the service via REST and WSDL and both were running OK!(Still I cannot open WSDL URL in my browsers, I think it is SSL issue.) Also, there is never a production user reporting this issue. So I think it might be something wrong with the developer's code(it is .NET code on which I have 0 knowledge), I will keep on watching this. On Thu, Jan 22, 2015 at 11:01 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ason, On 1/22/15 1:26 AM, Jason Y wrote: What I changed in server.xml is adding sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1. If you want to be able to handle SSL handshakes (and not just TLS ones like some older clients might require), you'll need to enable SSLv2hello along with all the TLS versions you have specified above. BUT I noticed that I am using JSSE instead of APR, so I remoeved the listener Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / is this causing my error? No. Using the AprLifecycleListener won't hurt anything; you'll just get a warning on startup that the native library isn't available. I'm not quite convinced this is an SSL problem, since most clients can handle a TLS handshake these days. Back to the original problem: how long does your application work before it doesn't. When it doesn't work, what happens when you try to connect? Long timeout? Immediate connection refusal? Failed handshake? You need to provide more information. Can you summarize the problem again and give specifics? - -chris On Wed, Jan 21, 2015 at 11:39 PM, Jason Y day...@gmail.com wrote: You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11
Re: SSL issue in tomcat
You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ
Re: SSL issue in tomcat
What I changed in server.xml is adding sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1. BUT I noticed that I am using JSSE instead of APR, so I remoeved the listener Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / is this causing my error? On Wed, Jan 21, 2015 at 11:39 PM, Jason Y day...@gmail.com wrote: You mean here maxThreads=150? But is no respective log message for this. And, I didn't find much request to the service. Currently there are no changed settings(firewall/network, etc.). On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Jason Y [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in tomcat Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Just a thought, but since it works for a while and then stops responding, could it be that the OP is running out of processing threads, i.e. a thread or connection pool leak? On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P
Re: SSL issue in tomcat
Here is what I get with openssl s_client command: Loading 'screen' into random state - done CONNECTED(01E8) write to 0x2103650 [0x2103698] (124 bytes = 124 (0x7C)) - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .zQ... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ..@. 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b 20 ff a2 + .. 0060 - dc 75 81 67 91 ff 8a 7e-8e 37 ed ac f6 97 0e 83 .u.g...~.7.. 0070 - 66 46 8c 87 b8 1c b3 0a-7e 46 72 30 fF..~Fr0 read from 0x2103650 [0x2108bf8] (7 bytes = 7 (0x7)) - 15 03 01 00 02 02 28 ..( 13756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:596: On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah sanaulla...@gmail.com wrote: then may be its not the issue of tomcat.you can check you firewall? may be your firewall dropping the correction after some time. try to connect the server from localhost using openssl s_client -connect hostname:8443 -debug may be you will found something use full. On Wed, Jan 21, 2015 at 11:43 AM, Jason Y day...@gmail.com wrote: Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools
Re: SSL issue in tomcat
Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
Thanks, Raj, Sanaullah and Dave. I am not sure if it is POODLE issue( http://wiki.apache.org/tomcat/Security/POODLE), this solution is the same with Raj's suggestion. I will try, thanks. On Tue, Jan 20, 2015 at 5:43 PM, Utkarsh Dave utkarshkd...@gmail.com wrote: I don t think you will achieve what you want to via disabling SSL protocol using sslEnabledProtocols. The vulnerability I think it is due to vulnerability in ssl 3.0 issue. will not stop access to the application. You may want to revert your changes back, and check the firewall settings or anything that can block the ports 8443, 8080 etc... Is there any exception in catalina.out? -Utkarsh On Tue, Jan 20, 2015 at 2:47 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much. On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote: Hi folks, Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Thank you all very much.
Re: SSL issue in tomcat
Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL issue in tomcat
Got another issue...Tomcat is working fine after restart but it cannot last long. Now I cannot access https pages with any browsers. I didn't find anything useful in logs. After a restart, it works well again. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote: its not necessary to have ciphers properties but if you want to restrict the ciphers then you can use this property. On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote: Thank you all. Now it is working fine. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 keystoreFile=lib/cert/.keystore keystorePass= ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA / By the way, do I need ciphers properties here? On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/20/15 4:17 AM, Jason Y wrote: Recently my application cannot be accessible in browser with https version. I think it is due to vulnerability in ssl 3.0 issue. I checked my tomcat configuration and replaced sslProtocol=TLS with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx keystorePass=xxx / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / None of the responses you have gotten thus far are useful in any way. Your configuration looks fine to me: sslEnabledProtocols is the way to go, although in recent versions of Tomcat the default is NOT to include any SSL protocols and only use the TLS ones, so if you are running something recent, you should be okay. Then I can open my application https link in browser. BUT, good time never lasts too long, after several hours, I failed to access my https link again. What kinds of errors do you get? What do the logs say? What are the URLs you are using? Anyone has any ideas about this? please share your suggestions...My tomcat version is 7.0.55 Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you should definitely keep your above configuration. There is no need to add a trust store or cipher specification to that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7 A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo G5/ksEFNFSc9+yQSSC1H =PVop -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org