Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

Wed, 15 Oct 2014 06:02:16 -0700 

Thanks for your reply.

Kindly note that for SSL on Tomcat, I do not use the standard JSSE SSL but
OpenSSL via APR/native.
According to the documentation, the SSL protocols can be configured in this
manner for APR/native:

"SSLProtocol    Protocol which may be used for communicating with clients.
The default value is all, which is equivalent to SSLv3+TLSv1 with other
acceptable values being SSLv2, SSLv3, TLSv1 and any combination of the
three protocols concatenated with a plus sign. Note that the protocol SSLv2
is inherently unsafe."

When using: SSLv3+TLSv1          - SSLv3 & TLSv1.0,1.1.1.2 are all available
When using: TLSv1                      - only TLSv1.0 seems available
without TLS1.1 and 1.2

I am wondering if there is a solution for Tomcat APR/Native where SSLv3 can
be disabled without losing support for TLS 1.1 & 1.2 ?

Regards

John


On Wed, Oct 15, 2014 at 2:48 PM, Giles Coochey <gi...@coochey.net> wrote:

>  On 15/10/2014 13:42, John Blaut wrote:
>
> Hi
>
> Following the recent announcement of the SSLv3 POODLE vulnerability
> (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
> following configuration: SSLProtocol="TLSv1", it seems that the effect is
> that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
> longer remain available, at least according to the Qualys SSL Labs 
> test:https://www.ssllabs.com/ssltest/
>
> Protocols
> TLS 1.2     No
> TLS 1.1     No
> TLS 1.0     Yes
> SSL 3     No
> SSL 2     No
>
> Is there an explanation for this?
> What configuration is required in order to disable SSLv3 (and SSLv2 of
> course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?
>
>
>   TLS Supports some version of TLS; may support other versions  TLSv1 Supports
> RFC 2246: TLS version 1.0 <http://www.ietf.org/rfc/rfc2246.txt> ; may
> support other versions  TLSv1.1 Supports RFC 4346: TLS version 1.1
> <http://www.ietf.org/rfc/rfc4346.txt> ; may support other versions
> TLSv1.2 Supports RFC 5246: TLS version 1.2
> <http://www.ietf.org/rfc/rfc5246.txt> ; may support other versions
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext--
> Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444
> 780677 +44 (0) 7584 634135 http://www.coochey.net
> http://www.netsecspec.co.uk gi...@coochey.net
>

Reply via email to