On 21/06/17 19:04, Marc Dorsa wrote: >> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A >> 3rd-party component of our product requires SSLv3 and there's no getting >> around it!) Our Tomcat is running on a custom Linux distribution based on >> Centos 7, and we're running Java 1.8.0_131. Note that I've already (and >> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is >> correctly enabled when running our existing Tomcat 7.0.47. My guess is that >> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat >> documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I >> read it, seems to say that simply setting the "protocols" attribute of the >> SSLHostConfig element to include "SSLv3" should do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. > > The docs need to be updated to reflect that. Also the migration guide. > > I've done some svn archaeology and this change was introduced during the > refactoring that added support for SNI, ALPN and multiple certificates. > Originally, the removal of SSLv2 and SSLv3 was only for the default > protocols (as it currently is in 8.0.x and earlier). During the > refactoring, the filtering effectively switched to applying to the > supported protocols. > > A warning is logged during start-up that an unsupported protocol has > been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM > used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when software > blocks something because it thinks it knows best rather then letting me > judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but logging > a clear warning if it is. > > Mark > ---------------------------------- > > Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in > Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), I could > have saved days of research and experimentation. :-(
SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
