Tomcat SSL: TLS vs ALL

Question

What is the best value for SSLProtocol parameter in Tomcat APR config? Docs says: "Protocol which may be used for communicating with clients. The default is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and "SSLv2+SSLv3"."

At first I've made a mistake and actually had SSL2 enabled which caused problems to many clients like "SSL2 not supported, you must switch to TLS". So I changed that to "TLSv1" and it was OK till I've got some problems with remote http requests.

Finally I changed the value to "all" (default). Is it correct? Or SSL2 must be disabled?

Thanks in advance!

score 1 · Accepted Answer · answered Feb 08 '10 at 11:30

1

The default in the Sun JRE is to use SSLv2 for the initial handshake, and then "upgrade" to either SSLv3, or TLSv1. Unless you have good reason not to, I would stick with the default.

answered Feb 08 '10 at 11:30

David Grant

13,929
3
57
63

score 0 · Answer 2 · answered Oct 30 '11 at 19:38

0

I use SSLv3+TLSv1, so that SSLv2 is disabled (it has a number of security problems and is not PCI-DSS compliant), but clients can choose to use either SSLv3 or TLSv1, which is sufficiently secure and is supported by practically every modern client.

answered Oct 30 '11 at 19:38

dkeen

154
2
9

Not so. TLSv1.0 is not PCI-DSS compliant and that's what you get when you do it this way. – Brian Knoblauch Nov 01 '12 at 17:39

Tomcat SSL: TLS vs ALL

2 Answers2