0

Even after setting in server.xml as sslProtocol="TLSv1" when we do vulnerability check, the below are the details of output..

# /usr/sfw/bin/

> openssl s_client -connect ipaddress:portNo -ssl3

CONNECTED(00000003)

verify error:num=19:self signed certificate in certificate chain

verify return:0
---
Certificate chain
---
Server certificate
printed even the certificate
---
No client certificate CA names sent
---
SSL handshake has read 3040 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES128-SHA
    Session-ID: 5719C37963ED3152FBE0543342EF2327303E66D3B8E32F020729D105A669AB04
    Session-ID-ctx:
    Master-Key: 3A31836C1C6DD8550B76051F8890073B7571B3C4DFC5F88B60D8FD2A3EA38BC00D845E16D6A9E134EF9B5BD79DD68B6F
    Key-Arg   : None
    Start Time: 1461306233
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

Can any one please advise how to fix it..?

ALex_hha
  • 7,025
  • 1
  • 23
  • 39
Vijay
  • 101
  • 2
  • Are you using APR aka Tomcat-Native? 'sslProtocol' fully sets protocol version and thus defangs(?) POODLE only for APR. For Java/JSSE aka Bio and Nio, see http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat or http://wiki.apache.org/tomcat/Security/POODLE – dave_thompson_085 Apr 22 '16 at 09:14
  • Thank you Dave, could you please explain little more clear.! – Vijay Apr 28 '16 at 06:50
  • Tomcat has two ways of doing SSL/TLS and thus HTTPS, which are configured differently, and you don't say which you are using. The 'native' connector uses the APR library (and OpenSSL internally) and that should work when you set `SSLProtocol`. The 'java' connectors use the Java implementation JSSE, and you need to set `sslProtocol` AND `sslProtocols` (note s) or `sslEnabledProtocols` as described in the questions I linked to (and their sources). – dave_thompson_085 Apr 29 '16 at 05:20
  • we are using 'java' connectors, trying to update / set value to sslProtocol. – Vijay May 02 '16 at 10:58
  • And as I said, for the java connectors setting `sslProtocol` is NOT SUFFICIENT to prevent use of SSLv3; you have to set another attribute whose name (apparently) varies *within* Tomcat 6 as described in the wiki.apache.org page. TRY THAT. – dave_thompson_085 May 03 '16 at 15:12

0 Answers0