How do I disable SSLv3 in tomcat?
Solution 1:
Add the below string to server.xml connecter
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
and then remove
sslProtocols="TLS"
check on
http://poodlebleed.com/
https://www.ssllabs.com/ssltest/
Solution 2:
Using
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
did not work for us. We had to use
sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
and left out the sslEnabledProtocols
altogether.
Solution 3:
All more modern browsers of note work with at least TLS1. There are no safe SSL protocols any more, which means no more IE6 access to secure web sites.
Test your server for this vulnerability with nmap in a few seconds:
nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com
If ssl-enum-ciphers lists a "SSLv3:" section or any other SSL sections, your server is vulnerable.
To patch this vulnerability on a Tomcat 7 web server, in the server.xml
connector, remove
sslProtocols="TLS"
(or sslProtocol="SSL"
or similar) and replace it with:
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
Then restart tomcat and test again to verify that SSL is no longer accepted. Thanks to Connor Relleen for the correct sslEnabledProtocols
string.