tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Cannot disable SSL v3
Date Fri, 17 Oct 2014 16:54:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Deepak,

On 10/17/14 11:58 AM, dkumar@ccilindia.co.in wrote:
> Below is my configuration in server.xml file of tomcat 7.0.22.

Upgrade.

> <Connector className
> ="org.apache.catalina.connector.http.HttpConnector"

No such class exists. Which connector are you actually using? A Java
connector or the native connector?

> port="443" maxHttpHeaderSize="8192" maxThreads="150" 
> minSpareThreads="25" enableLookups="false" 
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" clientAuth="false" sslProtocol="TLS"

Use of "sslProtocol" indicates that you are using a Java connector.

> SSLEnabled="true" allowUnsafeLegacyRenegotiation="false"
> 
> ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"

Use
> 
of "ciphers" indicates that you are using a Java connector.

Please see the documentation for the HTTP connector:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

The "sslProtocol" attribute is documented to use JVM-defined strings.
You will need to see what protocols are supported by your JVM.

> keystoreFile="*******" keystorePass="***" server=" "> <Factory 
> className="org.apache.catalina.net.SSLServerSocketFactory" 
> clientAuth="false" protocol="TLS"/>

Why are you configuring an SSLServerSocketFactory here? I don't
believe that is even a valid configuration.

> </Connector>
> 
> I tried with below changes. 1. sslProtocol changed to SSLProtocol

sslProtocol is for Java connectors while SSLProtocol is for the native
connector.

> 2. Removed SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher from ciphers

This configures a single cipher and not a protocol.

> 3. sslProtocol ="TLS" changed to sslProtocol ="TLSv1"
> 
> But still unable to disable SSL v3

Did you restart? What were the results? How did you test?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQUnZAAoJEBzwKT+lPKRYgmYP/3PG61mtnazM/ghZNYV/u0zo
CCvWlNaYWjrIEg25o/IvOTnTOhKmyfOkYnJ/9CrTtA8qrrhOnPZQl5wSfYpHWRVS
rpIbMy3IuPRqRhugDCmwFeGWZW2PtHagSPj+M8BrYjnthVlHcxDJil5qvDtf+DVu
2iH5VWODtBGHvouQ4OSm/R+1dzmwcgeQrQuTRuhTxfw0+Li+aKG9uAzULECZhwac
rI7ziFGNTRXYneSNjRd8HA9zcG0onHJu9iQadBHyjeX1tMiC3zQqvQGgml9djAGL
Nv6kyIAQrgwr2Ru79ONWUz3KGllDQMoBrgHHNJHLx0KrFNl9/NfdMOT/+L70YpEB
XPnRfVIadmSfNU2bqlpQu6aaU/B5aQhL4LErcgK5njhF2GT7Ed95MYihYDh3BYnR
vtv0Ccx6Sa2Mv8ZKm4evo30Epv9SMp4Y2Y+G+Hws78zJoCbVVa8W9juLolQ3iJhT
5w93x+AaXIDGkqr5xBKqEFCUirAIJZNyNmAh/ponTTPyPZS7uJ7Iqnu+So0WTqyt
UwNurdQ1cdGqfdaIlS1S/sam0oxEF4UQ0X5CCEQjnbj8DeMBRgiFd35qhQvhTJpH
A92dI9NyHpLVYTf39D7VEu3KbNPr5f1t1ClUaRrmKRzPj9FbS+TSYP+7bp01CcNr
x0CXTAdCXQlq3P9eon3h
=JTST
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message