0

I have a web service which is running on Tomcat 6.0, Java 7. The Connector uses the JSSE configuration. Below is what the connector in the server.xml file looks like, with a few modifications:

<Connector port="a numeric port number" maxHttpHeaderSize="8192"
       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
       enableLookups="false" disableUploadTimeout="true"
       acceptCount="100" scheme="https" secure="true"
       clientAuth="false" SSLEnabled="true" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
       URIEncoding="UTF-8" keystorePass="aStringValue" 
       keystoreFile="c:\crt\aFile.jks" keyAlias="anAlias"
       keyStoreType="JKS" />

I' Having trouble with getting the SSLProtocol to work in a fashion that would disable the POODLE vulnerable SSLv3, I have also tried having it as "TLS" and separately have

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"

as well as

sslEnabledProtocols="TLSv1.2+TLSv1.1+TLSv1"

after the SSLProtocol, but neither seem to have worked. And yes, I did remember to restart Tomcat after the server.xml changes. Can anyone spot what I'm missing here? All help highly appreciated.

ghoulfolk
  • 103
  • 3

1 Answers1

0

According to this answer at Serverfault, one or both of the following should do the trick: 

sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"

(note the lower case 'ssl')

sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"
Community
  • 1
Anand Bhat
  • 120
  • 3
  • Thanks for this answer, It might actually work but unfortunately I won't get a chance to try to restart the server I am using until this Friday, so I will have to wait until then to know weather this fixed it or not. I also read more about Tomcat 6.0 and noticed as stated on http://wiki.apache.org/tomcat/Security/POODLE "In old versions of Tomcat 6 the name of configuration attribute for Bio connector was protocols. It is sslEnabledProtocols since Tomcat 6.0.39 onwards." So i might have to try that as well. If this will fix the problem, I will accept the answer on Friday – ghoulfolk May 11 '15 at 07:00
  • sslProtocols="TLSv1,TLSv1.1,TLSv1.2" worked like a charm, I also added only the secure ciphers to the connection. Thanks for the help! – ghoulfolk May 15 '15 at 12:07