You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2015/02/01 19:33:12 UTC
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jimmy,
On 1/31/15 10:13 AM, Jammy Chen wrote:
> Hello Jason, Chris,
>
> Thanks for you answer and replying.
>
> I actually already tired that solution linked in the page
> https://access.redhat.com/solutions/1232233. but it does not work
> at all.
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
How about "protocols" instead of "sslProtocols"?
> Yes, this is common problem whatever the tomcat version is, SSL V3
> is not safe any more, however, newer tomcat has ready
> configuration/solution for disable V3. since I am still in old
> version so I am looking for solution for version Tomcat/6.0.18. but
> no good luck until now.
I'm not sure why it's not disabling SSLv3 for you, but another option
is to remove all of the ciphers that use CBC.
There are a lot of other bad things in 6.0.18 and, probably, the
versions of Java being used in these places. The proper mitigation is
to upgrade, not to try to configure-around the problem.
- -chris
> 2015-01-30 22:28 GMT+08:00 Christopher Schultz
> <chris@christopherschultz.net
>> :
>
> Jason,
>
> On 1/30/15 4:32 AM, Jason Y wrote:
>>>> Please refer to https://access.redhat.com/solutions/1232233
>
> This link is /slightly/ out of date, in that it is missing
> more-recent information (i.e. support for TLSv1.1 and TLSv1.2 in
> tcnative versions after 1.1.21.
>
>>>> By the way, why would you disable SSL? What is your current
>>>> problem? I may have the same problem with tomcat 7.0.55...
>
>
> https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUznFoAAoJEBzwKT+lPKRYKE4QAKaKhTPd6ymJbPwsihKREaIW
wdUOQysiNj3H+nFvLwILt0PES+2VGjdhLaPTmMPDOBWTbMiBNhv6yXZeFUQ6MkAE
+7CCoGqFvse3DY/iBdriqtSH/o/99/jSmCIpVmPwLNfRZjO7t2QSb8y+q0ttuimL
wtpRaFM8yWyOf3chgFFyhMmFePT0B6bvinRzde631IcmHJfMIO2etkEBHfDGas22
Q8bzppjk/YGM+3FB1yr/sttWGQZRJD1lGJQjdR/dTg2ajgAHRt6P0JvarzAhGVIY
MgGDdp2k85R67gSli5nkvxsfOaFHRWxZA87jQQiWX6QQe+G0Wpq7KaEPbU3rFWx2
Kw6eZwBYn97ads7G3XgkvOc8AZt1FwuP8UAFniuZhAdEeZFMdp4Ka6itMmba//hv
cR/+WZ5REZvhA2H2NgfQ+yipDSK0BZCbp/RVz0CnkthTPutwIc5rZs460Vh3sUMI
nXhLo2AcRzyo1N994E0xXHB0PKTu3UFKefiMuHQ1FFfo42QSHU9DMRn1Xg9f3eI3
TR1dOaONfw35pmJ8UTKvFoFr9Ci5rO0pwYWIDsztGjci47bysyvdEcnsi353asiu
YUYQgaf8XQO946SnVDubyadWbz3A7bJh48rGUS9b9/hMoppep5k5XKaTcw6xfsEh
ApCYkxDOIVvfHHRsyPvp
=yo3D
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org