2

Using embedded Tomcat 8 with Java 8 and I am unable to get the SSLv3 protocol re-enabled. I am unable to hit the web application with Internet Options -> Advanced settings with SSLv3 checked and all others (SSLv2, TLS1.0, TLS1.1, TLS1.2) unchecked. I have tried setting the SSL protocol like so:

httpsConnector.setAttribute("sslProtocol", "SSLv3");

I have also tried setting the SSL protocol like so: 

httpsConnector.setAttribute("sslEnabledProtocols", "SSLv3");

I have also added this line to the deployment.properties file to enable SSLv3 in JRE 8

deployment.security.SSLv3=true
Caleb Adams
  • 494
  • 8
  • 19
  • See [Enabling SSLv3](https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#enable-sslv3). – user207421 Jan 29 '16 at 18:40
  • 3
    See [Don't ever enable SSLv3 again](http://disablessl3.com/). SSLv3 is vulnerable to *POODLE* attacks. – TT. Jan 29 '16 at 21:58

1 Answers1

4

Recent JREs disable SSLv3, and rightly so: it's a broken protocol at this point that should be avoided. However, some environments absolutely require support of SSLv3, and it is possible to do.

First, you should never disable the higher-level protocols like TLSv1, TLSv1.1, and TLSv1.2. Instead, add SSLv3 to those protocols so that clients with better security can still use the higher-level protocols.

In order to re-enable SSLv3 in the JVM, you'll need to set this system property, possibly at JVM launch-time:

-Djdk.tls.disabledAlgorithms=

(Note there is no value there.)

You will also need to do the same type of thing you have done already above, where you set sslEnabledProtocols and sslProtocol, but, again, please don't disable the higher-level protocols.

UPDATE 2017-06-21

For Tomcat 8.5 and 9.0, SSLv3 has been hard-coded to be disabled and requires a source patch and re-build in order to re-enable it, up through at least Tomcat 8.5.15 and Tomcat 9.0.0.M21. There is currently some discussion about removing that prohibition in Tomcat 8.5 and 9.0.

UPDATE 2017-06-22

SSLv3 will no longer be blacklisted as of Tomcat 8.5.17 and Tomcat 9.0.0.MR23.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • Was able to use your solution as a starting point to get this to work. 1. update java.security file 2. update user level deployment.properties file 3. update system level deployment.properties file – Caleb Adams Feb 01 '16 at 21:07
  • 1
    None of those things should have been necessary; you can launch a single JVM instance with those settings without modifying any of the system-level files. I would encourage you to undo what you have done to those system files, because you will be re-enabling SSLv3 for any JVM you launch, not just the single Tomcat instance you want to modify. – Christopher Schultz Feb 02 '16 at 12:10
  • 1
    And you will also lose those modifications next Java upgrade. – user207421 Jun 23 '17 at 00:12