I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30. On Wed, Oct 15, 2014 at 3:00 PM, James Drews <dr...@engr.wisc.edu> wrote:
> That isn't working for tomcat 6, it will only accept TLSv1 for the > SSLProtocol entry, and that results in in using TLS1.0 only. > > > On 10/15/2014 7:48 AM, Giles Coochey wrote: > > On 15/10/2014 13:42, John Blaut wrote: > > Hi > > Following the recent announcement of the SSLv3 POODLE vulnerability > (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the > following configuration: SSLProtocol="TLSv1", it seems that the effect is > that besides the SSLv3 protocol even the TLSv1.1 and TLSv1.2 protocols no > longer remain available, at least according to the Qualys SSL Labs > test:https://www.ssllabs.com/ssltest/ > > Protocols > TLS 1.2 No > TLS 1.1 No > TLS 1.0 Yes > SSL 3 No > SSL 2 No > > Is there an explanation for this? > What configuration is required in order to disable SSLv3 (and SSLv2 of > course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2? > > > TLS Supports some version of TLS; may support other versions TLSv1 Supports > RFC 2246: TLS version 1.0 <http://www.ietf.org/rfc/rfc2246.txt> ; may > support other versions TLSv1.1 Supports RFC 4346: TLS version 1.1 > <http://www.ietf.org/rfc/rfc4346.txt> ; may support other versions > TLSv1.2 Supports RFC 5246: TLS version 1.2 > <http://www.ietf.org/rfc/rfc5246.txt> ; may support other versions > > http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext-- > Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 > 780677 +44 (0) 7584 634135 http://www.coochey.net > http://www.netsecspec.co.uk gi...@coochey.net > > >
