How do I disable SSLv3 in tomcat?

Question

I have tried following below link, however it does not help: tomcat-users mailing list archives

Note that the real answer here will depend on the version of Tomcat: Tomcat 6 & Tomcat 7 have different configuration directives; and Tomcat 6 added some specific SSL directives somewhere around 6.0.32. The configuration directives depend on if you are using JSSE verses APR/Native connectors. The supported of TLS specified in the parameters will depend on your Java version. — Stefan Lasiewski, Oct 16 '14 at 17:22
Also see ServerFault: http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat — Stefan Lasiewski, Oct 22 '14 at 17:52

score 7 · Answer 1 · edited Oct 15 '14 at 14:36

7

Add the below string to server.xml connecter

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

and then remove

sslProtocols="TLS"

check on

edited Oct 15 '14 at 14:36

GlenPeterson

answered Oct 15 '14 at 11:50

Connor Relleen

This isn't working for us with Tomcat6. – Stefan Lasiewski Oct 15 '14 at 22:46
These are Tomcat 7 instructions. For 6, go to this page and search for "TLS": http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html or check out Marco Polo's answer below. – GlenPeterson Oct 15 '14 at 23:21
1

Hmm, that Tomcat 6 doc says it supports `sslEnabledProtocols` and there is no mention on that page of `sslProtocols`. Is that an inaccuracy in the Tomcat docs or is it JVM dependent? – Bradley Oct 16 '14 at 12:44
@Bradley Tomcat 6 changed these directives somewhere after Tomcat 6.0.36. See our answer on ServerFault at http://serverfault.com/a/637666/36178 – Stefan Lasiewski Oct 22 '14 at 17:51

GlenPeterson · Answer 2 · 2014-10-15T23:21:54.327

All more modern browsers of note work with at least TLS1. There are no safe SSL protocols any more, which means no more IE6 access to secure web sites.

nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com

If ssl-enum-ciphers lists a "SSLv3:" section or any other SSL sections, your server is vulnerable.

To patch this vulnerability on a Tomcat 7 web server, in the server.xml connector, remove

sslProtocols="TLS"

(or sslProtocol="SSL" or similar) and replace it with:

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

Then restart tomcat and test again to verify that SSL is no longer accepted. Thanks to Connor Relleen for the correct sslEnabledProtocols string.

score 2 · Answer 3 · edited Oct 15 '14 at 21:10

2

Using

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

did not work for us. We had to use

sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

and left out the sslEnabledProtocols altogether.

edited Oct 15 '14 at 21:10

Eliah Kagan

answered Oct 15 '14 at 21:02

Marco Polo

What version of Tomcat? – GlenPeterson Oct 15 '14 at 23:22
Tested and confirmed on tomcat 6. – RobinCominotto Oct 16 '14 at 15:05
Is that a typo? Did you mean `sslProtocol` (singular) instead of `sslProtocols` (plural)? The [Tomcat docs say `sslProtocol`](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support), not `sslProtocols`. – Stefan Lasiewski Oct 16 '14 at 17:04
Well, `sslProtocols` works for me as well on Tomcat 6. I find it strange that the documentation only mentions `sslProtocol` (no s). – Stefan Lasiewski Oct 16 '14 at 22:07

score 0 · Answer 4 · edited Jul 27 '15 at 10:10

0

For Tomcat 6, in addition to the above, we also had to do the following:

In server.xml connector, add:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"

edited Jul 27 '15 at 10:10

Ron

answered Jul 27 '15 at 07:01

yoliho

4 Answers4