On 15/10/2014 13:42, John Blaut wrote:
HiFollowing the recent announcement of the SSLv3 POODLE vulnerability (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the following configuration: SSLProtocol="TLSv1", it seems that the effect is that besides the SSLv3 protocol even the TLSv1.1 and TLSv1.2 protocols no longer remain available, at least according to the Qualys SSL Labs test: https://www.ssllabs.com/ssltest/ Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No Is there an explanation for this? What configuration is required in order to disable SSLv3 (and SSLv2 of course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?
TLS Supports some version of TLS; may support other versionsTLSv1 Supports RFC 2246: TLS version 1.0 <http://www.ietf.org/rfc/rfc2246.txt> ; may support other versions TLSv1.1 Supports RFC 4346: TLS version 1.1 <http://www.ietf.org/rfc/rfc4346.txt> ; may support other versions TLSv1.2 Supports RFC 5246: TLS version 1.2 <http://www.ietf.org/rfc/rfc5246.txt> ; may support other versions
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net
smime.p7s
Description: S/MIME Cryptographic Signature
