How do I disable SSLv3 in tomcat?

security tomcat
16,156

Solution 1

Use following conffiguration in server.xml (Last line is important)

       `<Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
       keystorePass="rmi+ssl"
       sslProtocols = "TLS" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2"/>`

The Impact of Disabling SSLv3

There’s little impact for most people in disabling SSLv3 because they are not relying on SSLv3 to make connections via SSL/TLS. The large majority relies on TLS.

In the future, browsers such as Google Chrome and FireFox will have SSLv3 disabled at release. It is also advisable to disable SSLv3 on home browsers, not only server applications.

Very old browsers like IE 6 will have issues with it, but i guess those are anyways do not support may latest technologies as well.

Note: Thanks Christopher, updated as per your suggestions.

Solution 2

I tried the config suggested by Deepak. Though Tomcat did start, web apps were still accessible using SSLv3. The config suggested in this blog post about the POODLE attack worked for me. We are running Tomcat 7.0.55 and 7.0.56. Example connector below (note, that we are using JKS keystores, hence the protocol attribute)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true" clientAuth="false"
        keystoreFile="conf\store\tomcat.keystore" enableLookups="true"
        keystorePass="password" sslProtocol = "TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" 
        sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Apache Tomcat" />
Share:
16,156
Abhishek Parikh
Author by

Abhishek Parikh

Java/J2EE (12 Years of Experience). I still enjoy coding :)

Updated on June 04, 2022

Comments

  • Abhishek Parikh
    Abhishek Parikh almost 2 years

    How do I disable SSLv3 in tomcat for the POOLDE Vulnerability found, what impact it will have on browser, will all the browser work ?

  • Christopher Schultz
    Christopher Schultz over 9 years
    sslProtocols is not a recognized configuration option for a <Connector>. Also, you must specifically disable the SSLv3 protocol using sslEnabledProtocols because Java's TLS protocols all speak SSLv3 as well.
  • Christopher Schultz
    Christopher Schultz over 9 years
    sslEnabledProtocols does not use commas to separate the enabled protocols: you need to use + instead. Other than that, this is the correct response.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Severe security constraints while tomcat 8 startup with liferay
Apache + Tomcat VS Stand Alone Tomcat or GlassFish
Disable stacktraces in Tomcat's error pages to make it ready for production
What steps should I take to secure Tomcat 6.x?
Execute shell command in Tomcat
Spring Security NoClassDefFoundError
java.lang.NoClassDefFoundError: org/springframework/context/EnvironmentAware
How to add X-Content-Type-Options to tomcat configuration
How can I restrict access to certain URLs by source IP in Tomcat?
OCSP Revocation on client certificate