How do I disable SSLv3 in tomcat?
Solution 1
Use following conffiguration in server.xml (Last line is important)
`<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
keystorePass="rmi+ssl"
sslProtocols = "TLS" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2"/>`
The Impact of Disabling SSLv3
There’s little impact for most people in disabling SSLv3 because they are not relying on SSLv3 to make connections via SSL/TLS. The large majority relies on TLS.
In the future, browsers such as Google Chrome and FireFox will have SSLv3 disabled at release. It is also advisable to disable SSLv3 on home browsers, not only server applications.
Very old browsers like IE 6 will have issues with it, but i guess those are anyways do not support may latest technologies as well.
Note: Thanks Christopher, updated as per your suggestions.
Solution 2
I tried the config suggested by Deepak. Though Tomcat did start, web apps were still accessible using SSLv3. The config suggested in this blog post about the POODLE attack worked for me. We are running Tomcat 7.0.55 and 7.0.56. Example connector below (note, that we are using JKS keystores, hence the protocol attribute)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
keystoreFile="conf\store\tomcat.keystore" enableLookups="true"
keystorePass="password" sslProtocol = "TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Apache Tomcat" />
Abhishek Parikh
Java/J2EE (12 Years of Experience). I still enjoy coding :)
Updated on June 04, 2022Comments
-
Abhishek Parikh almost 2 years
How do I disable SSLv3 in tomcat for the POOLDE Vulnerability found, what impact it will have on browser, will all the browser work ?
-
Christopher Schultz over 9 years
sslProtocols
is not a recognized configuration option for a<Connector>
. Also, you must specifically disable theSSLv3
protocol usingsslEnabledProtocols
because Java'sTLS
protocols all speakSSLv3
as well. -
Christopher Schultz over 9 years
sslEnabledProtocols
does not use commas to separate the enabled protocols: you need to use+
instead. Other than that, this is the correct response.