How do I disable SSLv3 in tomcat?

security ssl tomcat7

Solution 1:

Add the below string to server.xml connecter

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

and then remove 

sslProtocols="TLS"

check on

http://poodlebleed.com/
https://www.ssllabs.com/ssltest/

Solution 2:

Using

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

did not work for us. We had to use

sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

and left out the sslEnabledProtocols altogether.

Solution 3:

All more modern browsers of note work with at least TLS1. There are no safe SSL protocols any more, which means no more IE6 access to secure web sites.

Test your server for this vulnerability with nmap in a few seconds:

nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com

If ssl-enum-ciphers lists a "SSLv3:" section or any other SSL sections, your server is vulnerable.

To patch this vulnerability on a Tomcat 7 web server, in the server.xml connector, remove

sslProtocols="TLS"

(or sslProtocol="SSL" or similar) and replace it with:

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

Then restart tomcat and test again to verify that SSL is no longer accepted. Thanks to Connor Relleen for the correct sslEnabledProtocols string.

Related

`indicator-cpufreq` doesn't seem to work on 14.10
What is the difference between `root ALL=(ALL:ALL) ALL` and `root ALL=(ALL) ALL`?
Youtube causing black screen in chrome?
Ubuntu: encrypted remote desktop server?
How do I find all key bindings in Ubuntu 14.04?
Open application window on the same screen as where It was launched
How to create a ext4 partition for all users?
How to create a SFTP (SSH) User with extremely limited permissions
AppArmor with cupsd denied in logs
Manually edit DNS in Ubuntu 14.04
How can I make a mini English-Chinese dictionary for Ubuntu?
Why the "mutable default argument fix" syntax is so ugly, asks python newbie