Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

Wed, 15 Oct 2014 10:01:29 -0700 

John,


> On Wednesday, October 15, 2014 6:20 AM, John Blaut <john.bl...@gmail.com> 
> wrote:
> > When SSLv3 is enabled, it seems TLS1.1 and TLS 1.2 are supported however.
> It seems strange that the SSLv3 option controls the availability of TLS1.1
> and TLS1.2.
> 
> Now that SSLv3 is considered insecure and more people start to disable it,
> I suppose many on APR/Native will encounter the same issue.
> Is there any way to preserve TLS1.1 & TLS1.2 whilst disabling SSLv3?
> 
> Regards
> 
> John
> 

>From the Google blog post:

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to 
mitigate this issue, but presents significant compatibility problems, even 
today.
I run Apache HTTPD in front of Tomcat servers, so I think it will be possible 
to disable the second (CBC-mode ciphers with SSL 3.0). I haven't really read 
the APR/Native SSL configuration carefully enough to know if this is possible 
with Tomcat.

As an aside, for the last 500K hits I've seen 37 requests that have used 
CBC-mode ciphers with SSLv3. At least for the sites I am concerned with 
disabling this does not seem to have 'significant compatibility problems'.

> 
> On Wed, Oct 15, 2014 at 3:09 PM, Giles Coochey <gi...@coochey.net> wrote:
> 
>>   On 15/10/2014 14:03, John Blaut wrote:
>> 
>>  I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30.
>> 
>> 
>> 
>>   Apologies, yes Apr/Native only supports SSLv2, SSLv3 & TLSv1.0
>> 
>>    SSLProtocol
>> 
>>  Protocol which may be used for communicating with clients. The default
>>  value is all, which is equivalent to SSLv3+TLSv1 with other acceptable
>>  values being SSLv2, SSLv3, TLSv1 and any combination of the three
>>  protocols concatenated with a plus sign. Note that the protocol SSLv2 is
>>  inherently unsafe.
>> 
>> 
>> 
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>> 
>>  --
>>  Regards,
>> 
>>  Giles Coochey, CCNP, CCNA, CCNAS
>>  NetSecSpec Ltd+44 (0) 8444 780677+44 (0) 7584 
> 634135http://www.coochey.nethttp://www.netsecspec.co.ukgi...@coochey.net
>> 
>> 
> 
. . . using web mail while rebuilding my system from backups
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to