2016-01-14 13:27 GMT+03:00 Weare Borg <kernelfr...@gmail.com>: > Hello friends, > > I recently scanned our domain Qualys SSL lab and found out that we have 2 > problems as listed below : > > 1) This server is vulnerable to the POODLE attack. If possible, disable SSL > 3 to mitigate. Grade capped to C > 2) This server accepts RC4 cipher, but only with older protocol versions. > Grade capped to B. > > Our server runs Debian X64 with Apache 2.2 as a load-balancer and fail-over > for 2 tomcat instances. So I configured the settings for both Apache and > Tomcat for both these problems. Here are the changes I made, but I still > keep getting the two errors I mentioned above. What am I doing wrong? > > Changes to mods-available/ssl.conf : > > SSLProtocol All -SSLv2 -SSLv3 > SSLHonorCipherOrder on > SSLCipherSuite ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT
You are missing ":" between SSLv3 and EXPORT. So actually you are not disabling SSLv3. > Changes to 8443 connector for TOmcat : > > <Connector port="8443" enableLookups="true" >> protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" >> maxThreads="200" compression="off" How do you proxy your requests? Usually requests are proxied with AJP protocol, so the above HTTP connector configuration does not matter. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
