How do I disable SSLv3 in tomcat?

Question

How do I disable SSLv3 in tomcat for the POOLDE Vulnerability found, what impact it will have on browser, will all the browser work ?

See also http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat — Vadzim, Apr 07 '15 at 13:41

deenaik · Accepted Answer · 2014-10-20T03:24:52.217

Use following conffiguration in server.xml (Last line is important)

       `<Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
       keystorePass="rmi+ssl"
       sslProtocols = "TLS" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2"/>`

The Impact of Disabling SSLv3

There’s little impact for most people in disabling SSLv3 because they are not relying on SSLv3 to make connections via SSL/TLS. The large majority relies on TLS.

In the future, browsers such as Google Chrome and FireFox will have SSLv3 disabled at release. It is also advisable to disable SSLv3 on home browsers, not only server applications.

Very old browsers like IE 6 will have issues with it, but i guess those are anyways do not support may latest technologies as well.

Note: Thanks Christopher, updated as per your suggestions.

`sslProtocols` is not a recognized configuration option for a ``. Also, you must specifically disable the `SSLv3` protocol using `sslEnabledProtocols` because Java's `TLS` protocols all speak `SSLv3` as well. — Christopher Schultz, Oct 18 '14 at 21:05

score 1 · Answer 2 · answered Oct 17 '14 at 08:56

I tried the config suggested by Deepak. Though Tomcat did start, web apps were still accessible using SSLv3. The config suggested in this blog post about the POODLE attack worked for me. We are running Tomcat 7.0.55 and 7.0.56. Example connector below (note, that we are using JKS keystores, hence the protocol attribute)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true" clientAuth="false"
        keystoreFile="conf\store\tomcat.keystore" enableLookups="true"
        keystorePass="password" sslProtocol = "TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" 
        sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Apache Tomcat" />

`sslEnabledProtocols` does not use commas to separate the enabled protocols: you need to use `+` instead. Other than that, this is the correct response. — Christopher Schultz, Oct 18 '14 at 21:07

score 0 · Answer 3 · answered Oct 20 '14 at 10:19

For my configuration where I am using Tomcat 7 (7.0.56) and HTTP/1.1 Connector (so it is not NIO or native connector) the combination of those attributes works well:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"

And just to add - I am running on Java 7.

Seems that there might be differences in notation (i.e. whether to separate protocols by comma or whether it needs to be a single value based on "+" concatenation of protocols) between various kind of Connectors.

For me sslEnabledProtocols works as comma-separated as stated in Tomcat 7 Configuration reference (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support)

score 0 · Answer 4 · answered Dec 03 '14 at 13:17

0

In Tomcat 6.0.20 the following configuration in the connector clause of server.xml works

sslProtocol="SSL" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

answered Dec 03 '14 at 13:17

iberbeu

15,295
5
27
48

How do I disable SSLv3 in tomcat?

4 Answers4

Linked