On 15/10/2014 13:42, John Blaut wrote:
Hi

Following the recent announcement of the SSLv3 POODLE vulnerability
(CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
following configuration: SSLProtocol="TLSv1", it seems that the effect is
that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
longer remain available, at least according to the Qualys SSL Labs test:
https://www.ssllabs.com/ssltest/

Protocols
TLS 1.2     No
TLS 1.1     No
TLS 1.0     Yes
SSL 3     No
SSL 2     No

Is there an explanation for this?
What configuration is required in order to disable SSLv3 (and SSLv2 of
course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?

TLS     Supports some version of TLS; may support other versions
TLSv1 Supports RFC 2246: TLS version 1.0 <http://www.ietf.org/rfc/rfc2246.txt> ; may support other versions TLSv1.1 Supports RFC 4346: TLS version 1.1 <http://www.ietf.org/rfc/rfc4346.txt> ; may support other versions TLSv1.2 Supports RFC 5246: TLS version 1.2 <http://www.ietf.org/rfc/rfc5246.txt> ; may support other versions


http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to