Please provide the fix for How do I patch/workaround SSLv3 POODLE vulnerability (CVE-2014-3566)? for Tomcat.
I have tried following below link, however it does not help: tomcat-users mailing list archives
Asked
Active
Viewed 3.1k times
4 Answers
7
Add the below string to server.xml connecter
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
and then remove
sslProtocols="TLS"
check on
GlenPeterson
- 1,451
Connor Relleen
- 159
2
All more modern browsers of note work with at least TLS1. There are no safe SSL protocols any more, which means no more IE6 access to secure web sites.
Test your server for this vulnerability with nmap in a few seconds:
nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com
If ssl-enum-ciphers lists a "SSLv3:" section or any other SSL sections, your server is vulnerable.
To patch this vulnerability on a Tomcat 7 web server, in the server.xml connector, remove
sslProtocols="TLS"
(or sslProtocol="SSL" or similar) and replace it with:
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
Then restart tomcat and test again to verify that SSL is no longer accepted. Thanks to Connor Relleen for the correct sslEnabledProtocols string.
GlenPeterson
- 1,451
2
Using
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
did not work for us. We had to use
sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
and left out the sslEnabledProtocols altogether.
Eliah Kagan
- 119,640
Marco Polo
- 29
0
For Tomcat 6, in addition to the above, we also had to do the following:
In server.xml connector, add:
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
