tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Drews <dr...@engr.wisc.edu>
Subject Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2
Date Wed, 15 Oct 2014 13:00:30 GMT
That isn't working for tomcat 6, it will only accept TLSv1 for the 
SSLProtocol entry, and that results in in using TLS1.0 only.

On 10/15/2014 7:48 AM, Giles Coochey wrote:
> On 15/10/2014 13:42, John Blaut wrote:
>> Hi
>>
>> Following the recent announcement of the SSLv3 POODLE vulnerability
>> (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
>> following configuration: SSLProtocol="TLSv1", it seems that the effect is
>> that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
>> longer remain available, at least according to the Qualys SSL Labs test:
>> https://www.ssllabs.com/ssltest/
>>
>> Protocols
>> TLS 1.2     No
>> TLS 1.1     No
>> TLS 1.0     Yes
>> SSL 3     No
>> SSL 2     No
>>
>> Is there an explanation for this?
>> What configuration is required in order to disable SSLv3 (and SSLv2 of
>> course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?
>
> TLS 	Supports some version of TLS; may support other versions
> TLSv1 	Supports RFC 2246: TLS version 1.0 
> <http://www.ietf.org/rfc/rfc2246.txt> ; may support other versions
> TLSv1.1 	Supports RFC 4346: TLS version 1.1 
> <http://www.ietf.org/rfc/rfc4346.txt> ; may support other versions
> TLSv1.2 	Supports RFC 5246: TLS version 1.2 
> <http://www.ietf.org/rfc/rfc5246.txt> ; may support other versions
>
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext--

> Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 
> 780677 +44 (0) 7584 634135 http://www.coochey.net 
> http://www.netsecspec.co.uk giles@coochey.net 


Mime
View raw message