How do I disable SSLv3 in tomcat?

Solution 1:

Add the below string to server.xml connecter

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

and then remove

sslProtocols="TLS"

check on

http://poodlebleed.com/
https://www.ssllabs.com/ssltest/

Solution 2:

Using

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" 

did not work for us. We had to use

sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

and left out the sslEnabledProtocols altogether.

Solution 3:

All more modern browsers of note work with at least TLS1. There are no safe SSL protocols any more, which means no more IE6 access to secure web sites.

Test your server for this vulnerability with nmap in a few seconds:

nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com

If ssl-enum-ciphers lists a "SSLv3:" section or any other SSL sections, your server is vulnerable.

To patch this vulnerability on a Tomcat 7 web server, in the server.xml connector, remove

sslProtocols="TLS"

(or sslProtocol="SSL" or similar) and replace it with:

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

Then restart tomcat and test again to verify that SSL is no longer accepted. Thanks to Connor Relleen for the correct sslEnabledProtocols string.