-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jason,
On 1/21/15 4:29 AM, Jason Y wrote: > Here is what I get with openssl s_client command: > > Loading 'screen' into random state - done CONNECTED(000001E8) write > to 0x2103650 [0x2103698] (124 bytes => 124 (0x7C)) 0000 - 80 7a 01 > 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9.. 0010 - 38 > 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ > 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 > ..3..2../....... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 > 00 00 ................ 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 > 11 00 00 08 ......@......... 0050 - 00 00 06 04 00 80 00 00-03 02 > 00 80 2b 20 ff a2 ............+ .. 0060 - dc 75 81 67 91 ff 8a > 7e-8e 37 ed ac f6 97 0e 83 .u.g...~.7...... 0070 - 66 46 8c 87 b8 > 1c b3 0a-7e 46 72 30 fF......~Fr0 read from 0x2103650 > [0x2108bf8] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 > ......( 13756:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:.\ssl\s23_clnt.c:596: Use this: $ openssl s_client -tls1 -connect host:port If you want to be able to handle SSL2/3 handshakes, then you will want to enable SSLv2hello using the "sslProtocolsEnabled" attribute, like this: <Connector [...] sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2hello" /> - -chris > On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah <sanaulla...@gmail.com> > wrote: > >> then may be its not the issue of tomcat.you can check you >> firewall? may be your firewall dropping the correction after some >> time. >> >> try to connect the server from localhost using " openssl s_client >> -connect hostname:8443 -debug " may be you will found something >> use full. >> >> On Wed, Jan 21, 2015 at 11:43 AM, Jason Y <day...@gmail.com> >> wrote: >> >>> Got another issue...Tomcat is working fine after restart but it >>> cannot >> last >>> long. Now I cannot access https pages with any browsers. I >>> didn't find anything useful in logs. After a restart, it works >>> well again. >>> >>> <Connector executor="tomcatThreadPool" port="8080" >>> protocol="HTTP/1.1" connectionTimeout="20000" >>> redirectPort="8443" /> <Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11Protocol" >>> maxThreads="150" SSLEnabled="true" scheme="https" >>> secure="true" clientAuth="false" sslProtocol="TLS" >>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >>> keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" /> >>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector >>> port="8009" protocol="AJP/1.3" redirectPort="8443" /> >>> >>> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah >>> <sanaulla...@gmail.com> >> wrote: >>> >>>> its not necessary to have ciphers properties but if you want >>>> to >> restrict >>>> the ciphers then you can use this property. >>>> >>>> On Wed, Jan 21, 2015 at 6:53 AM, Jason Y <day...@gmail.com> >>>> wrote: >>>> >>>>> Thank you all. Now it is working fine. >>>>> >>>>> <Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>>> secure="true" clientAuth="false" sslProtocol="TLS" >>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >>>>> keystoreFile="lib/cert/xxxx.keystore" keystorePass="xxxx" >>>>> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, >>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >>>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA" >> /> >>>>> >>>>> By the way, do I need "ciphers" properties here? >>>>> >>>>> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < >>>>> ch...@christopherschultz.net> wrote: >>>>> > Jason, > > On 1/20/15 4:17 AM, Jason Y wrote: >>>>>>>> Recently my application cannot be accessible in >>>>>>>> browser with >>> https >>>>>>>> version. I think it is due to vulnerability in ssl >>>>>>>> 3.0 issue. >>>>>>>> >>>>>>>> I checked my tomcat configuration and replaced >>>>>>>> sslProtocol="TLS" with >>>>>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to >>>>>>>> disable SSL 3.0. >>>>>>>> >>>>>>>> <Connector port="8080" protocol="HTTP/1.1" >>>>>>>> connectionTimeout="20000" redirectPort="8443" /> >>>>>>>> <Connector port="8443" >>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>>>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>>>>>> secure="true" clientAuth="false" >>>>>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >>>>>>>> keystoreFile="xxx" keystorePass="xxx" /> <Connector >>>>>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" >>>>>>>> /> > > None of the responses you have gotten thus far are useful in any >>> way. > > Your configuration looks fine to me: sslEnabledProtocols is the > way >>>> to > go, although in recent versions of Tomcat the default is NOT to > include any "SSL" protocols and only use the "TLS" ones, so if you >>>> are > running something recent, you should be okay. > >>>>>>>> Then I can open my application https link in browser. >>>>>>>> BUT, good time never lasts too long, after several >>>>>>>> hours, I failed to >>> access >>>>>>>> my https link again. > > What kinds of errors do you get? What do the logs say? What are > the URLs you are using? > >>>>>>>> Anyone has any ideas about this? please share your >>> suggestions...My >>>>>>>> tomcat version is 7.0.55 > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so >>> you > should definitely keep your above configuration. There is no need >>> to > add a trust store or cipher specification to that. > > -chris >>>>>> >>>>>> >> --------------------------------------------------------------------- >>>>>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: >>>>>> users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>> >>>> >>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUv77ZAAoJEBzwKT+lPKRYgXEP/2qs2LbTwlfZ2J0kg8r5aWQi LHsQZUo8PjE7eH97DtDoDB5rVMPKk3wj0w38o3KCnxN1LQY44k6/11Vp8PqotRQ9 loLJKgogYo+Rkfherb2WJqC8wS/K9aAzyNFO49kRkjAKunoWbdyyNXAXcRA/LS2v FG4pGgZZp3ITWuVuD7pcoHfYHRHJ6AlMGvHISkKiU6uiV4sy9S5HiHEcc4KW7PQt q9LNxKkPylf1N/AH4IZ/GJQycrLHxJLbj+oK4vG7ofFBxgsAOu/WLcepGEwEv2zr 8BHBSd4mSMauAP7x12IiPjzv7D04PXUKKx7YLJm1k2yjF099QyZok3n5AlF/iX+8 n5pTtv0GpI7nU63ua2wg2Xu7V+V9FxJvChbeVvK921NJRE0Db4cdtOYk5XZOiy6O x8/9srw8UcDGanPqMXi9W1sUyV4D/t8F5W5moQJ+avxRInUlA4ORBGjRg4F+nZIB HbQPHg6H3HvATr47LzAdXMC4DGI3cCmP9cef1AxMlGp3D6R/lrkkTf2AIt05zyOF 8IuxH2YIi1zekI/kDNQeDry9FmkWlXk6taYjzk67F4mIdtopOkMen2eNz3fEnehT 5sXqOSfx8vRB3YC6n9oH1rTPf4QPweVUiJ8Zx5HGHFAi4zNbUWor1xvRxgNc6ZFg Q+zWfPkPmpeo4CTlQqIk =WGjm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
