0

I have a web service which is running on Tomcat 6.0, Java 7. The Connector uses the JSSE configuration. Below is what the connector in the server.xml file looks like, with a few modifications:

<Connector port="a numeric port number" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" URIEncoding="UTF-8" keystorePass="aStringValue" keystoreFile="c:\crt\aFile.jks" keyAlias="anAlias" keyStoreType="JKS" />

I' Having trouble with getting the SSLProtocol to work in a fashion that would disable the POODLE vulnerable SSLv3, I have also tried having it as "TLS" and separately have

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"

as well as

sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"

after the SSLProtocol, but neither seem to have worked. And yes, I did remember to restart Tomcat after the server.xml changes. Can anyone spot what I'm missing here? All help highly appreciated.

Improve this question

1 Answer 1

Reset to default
0

According to this answer at Serverfault, one or both of the following should do the trick: 

sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"

(note the lower case 'ssl')

sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"
Improve this answer
2
  • Thanks for this answer, It might actually work but unfortunately I won't get a chance to try to restart the server I am using until this Friday, so I will have to wait until then to know weather this fixed it or not. I also read more about Tomcat 6.0 and noticed as stated on wiki.apache.org/tomcat/Security/POODLE "In old versions of Tomcat 6 the name of configuration attribute for Bio connector was protocols. It is sslEnabledProtocols since Tomcat 6.0.39 onwards." So i might have to try that as well. If this will fix the problem, I will accept the answer on Friday Commented May 11, 2015 at 7:00
  • sslProtocols="TLSv1,TLSv1.1,TLSv1.2" worked like a charm, I also added only the secure ciphers to the connection. Thanks for the help! Commented May 15, 2015 at 12:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.