As Charles said, move up to 6.0.20 and switch to the NIO connector. If you have to stay with 5.5.23, you'll need to go with the ARP SSL connector.
(slap me if I'm still wrong Charles, but I checked the doc and there doesn't appear to be support for NIO in 5.5.x) Jeff -----Original Message----- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 10:24 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability Hi Charles, FYI: This is in my listener list: <Listener className="org.apache.catalina.core.AprLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> Added the "protocol" entry and now trying to start Tomcat manager results in "page cannot be displayed". Removing entry it starts. Added as follows: <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" protocol="org.apache.coyote.http11.Http11NioProtocol" keystoreFile="xxx" keystorePass="xxx" keystoreType="PKCS12" /> Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. "Caldarale, Charles R" <Chuck.Caldarale@ To unisys.com> Tomcat Users List <users@tomcat.apache.org> 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability "Tomcat Users List" <us...@tomcat.apa che.org> Caterpillar: Confidential Green Retain Until: 02/18/2010 > From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP <Connector> alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ******************************* NOTICE ********************************* This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
