I believe some village somewhere was missing somebody :)
Reading the tomcat/apr doc
(http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) ,
I found that I have to use SSLProtocol instead of sslProtocol.
After making that change, SSLv3 disappear.
Thanks,
Vu
On 10/16/2014 08:32 AM, vu pham wrote:
All,
I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My
server.xml 's configuration for the https connector is as follows:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
SSLCertificateKeyFile="/u01/apache-tomcat-7.0.26/conf/servey_xxx.key"
SSLCertificateFile="/u01/apache-tomcat-7.0.26/conf/server_xxx.crt"
SSLCACertificateFile="/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem"
/>
I also tried sslProtocol with different values of TLS, TLSv1.1, and
TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim
that my server still has SSLv3 enabled.
Any advice is greatly appreciated.
Thanks,
Vu
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
