1

I have a very old web application that uses tomcat4. B/c of the poodle vulnerability I need to disable SSL3 and disable a bunch of weak ciphers. My connector looks like this, but apparently according to www.ssllabs.com I still have SSL3 enabled. Can anybody tell me what's wrong? Any insight would be appreciated, thanks!

(edited so it appears on the page so there are some characters missing but the important attributes are there)

 Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true"
                SSLEnabled="true" sslProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA">

      Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" protocol="TLS" />
    </Connector
Sven
  • 98,649
  • 14
  • 180
  • 226
jeff.eynon
  • 111
  • 2
  • You missed one cipher: `SSL_RSA_WITH_RC4_128_SHA` – Nathan C Nov 25 '14 at 14:17
  • Thanks Nathan. I added that cipher. Do you know why ssllabs.com still reports SSL3 is enabled when I'm only listing TLS protocols? – jeff.eynon Nov 25 '14 at 14:33
  • It could be that your tomcat is supporting SSL renegotiation which would make it fail on SSL3. See [this](http://stackoverflow.com/questions/12359288/disabling-ssl-tls-renegotiation-in-tomcat) related question. – Nathan C Nov 25 '14 at 14:59
  • according to open ssl renegotiation is not supported. – jeff.eynon Nov 25 '14 at 20:57
  • I'm working on this matter too, but so fare it looks like a dead end... The closest thing I found was [this](https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html), which state that you could avoid sslv2 from tomcat 4.1.32. I tried swapping the jar files, as a wild guess and hope, but it doesn't start nor do I get an exception. I noticed the setting of a org.apache.tomcat.util.net.SSLImplementation in the apache coyote connector, but I'm unsure that it's a path to go... Did you by any chance get a bit longer? –  Dec 04 '14 at 21:26

0 Answers0