Hi Jammy,
Please refer to https://access.redhat.com/solutions/1232233
When using Tomcat with the JSSE connectors, the SSL protocol to be used can
be configured via $TOMCAT_HOME/conf/server.xml. The following example shows
how the sslProtocol in an https connector is configured.
Tomcat 5 and 6 (prior to 6.0.38)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
Tomcat 6 (6.0.38 and later) and 7
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols =
"TLSv1,TLSv1.1,TLSv1.2" />
If the sslEnabledProtocols or sslProtocols attributes are specified, only
protocols that are listed and supported by the SSL implementation will be
enabled. If not specified, the JVM default is used. The permitted values
may be obtained from the JVM documentation for the allowed values for
algorithm when creating an SSLContext instance e.g. Oracle Java 6 and
Oracle Java 7.
By the way, why would you disable SSL? What is your current problem? I may
have the same problem with tomcat 7.0.55...
On Fri, Jan 30, 2015 at 2:44 PM, Terence M. Bandoian <tere...@tmbsw.com>
wrote:
> On 1/29/2015 10:02 AM, Jammy Chen wrote:
>
>> Hello Chuck,
>>
>> Thanks for replying, I understood this is old, our product has already
>> upgraded to latest version, but somehow, some of our users are still in
>> such old stage, they do not plan uptake now but they want disable SSL V3
>> as
>> everybody know this is big security vulnerability.
>>
>>
>> *so now the important thing is how I can disable SSL V3 on Tomcat
>> 6.0.18.0?
>> I cannot find the solution*
>>
>> Jammy
>>
>> 2015-01-29 22:00 GMT+08:00 Caldarale, Charles R <
>> chuck.caldar...@unisys.com>
>> :
>>
>> From: Jammy Chen [mailto:jamm...@gmail.com]
>>>> Subject: How-to disable SSL V3 on Tomcat 6.0.18.0
>>>> Do everybody knows how-to disable SSL v3 in older tomcat version
>>>> Server version: Apache Tomcat/6.0.18
>>>> Server built: Jul 22 2008 02:00:36
>>>>
>>> Yes - move up to a current level and read the docs.
>>>
>>> Seriously, if you're using a Tomcat of that vintage (this one is more
>>> than
>>> 6.5 years old), you have a lot more security issues to worry about than
>>> SSLv3. It's irresponsible not to upgrade.
>>>
>>> OS Name: Windows 2003
>>>>
>>> A few months from end-of-life.
>>>
>>> JVM Version: 1.6.0-b105
>>>>
>>> Two years past end-of-life.
>>>
>>> Is there a pattern here?
>>>
>>> - Chuck
>>>
>>
>
> Hi, Jammy-
>
> I'd suggest downloading Tomcat 6.0.18 which includes the then-current
> documentation.
>
> -Terence Bandoian
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
