1

I have a Windows 2008 server with Tomcat 7.0.59 & Java 8u31 & I am trying to ensure that SSLv3 is disabled. Looking at the changelog for Java, SSL3 should no longer be supported and the Java Control Panel doesn't even have a checkbox to enable it in the Advanced Security Settings options. Even still, I have added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to my HTTP connector in server.xml. Running a POODLE vulnerability scan still shows the ability to connect via SSL3.

Any ideas for other places to look or tools that could help identify what is enabling/supporting SSL3 on this box?

Here is the full connector configuration for reference:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keyAlias="CAS-server"
           sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
           keystoreFile="[filepath]" keystorePass="[password]"/>

The server is a virtual machine running on VMWare and is used only for CAS (Single Sign-On implementation from JA-SIG). Other programs installed on the system:

  • EMC NetWorker
  • Sophos Anti-Virus / AutoUpdate / Remote Management System
  • TortoiseSVN
Dustin Luck
  • 11
  • 4
  • Does the *POODLE vulnerability scan* check for SSLv3 or also for POODLE with TLS? – sebix Feb 27 '15 at 07:42
  • According to https://www.poodlescan.com/, SSL3v3 is supported on the server. More research suggests that the problem may lie with the F5 server. I'll update here once I know something more conclusive. – Dustin Luck Feb 27 '15 at 17:51
  • @DustinLuck ever figure out your issue? – John Giotta May 24 '16 at 17:36
  • @JohnGiotta The server is behind an F5 appliance for failover. The POODLE fix had to be applied to the F5 as well. – Dustin Luck May 25 '16 at 22:43

0 Answers0