-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Varun,
On 7/8/16 2:16 AM, varun gulati wrote:
> Hello Team, Since past few days i have been struggling with
> disabling TLSv1.0 in my Tomcat configuration. Here is the content
> of my server.xml file. I was able to disable SSLv3, and things were
> working fine but somehow not able to disable TLSv1.0. Really
> appreciate your suggestions on how to resolve this vulnerability
> Disabled SSLv3 with below
> config:===
=
>
>
maxThreads="150" scheme="https" secure="true"
> keystoreFile="Keystore_Pathe" keystorePass="*"
> clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> ciphers="All Ciphers excluding RC4 Ciphers" />
>
>
> To disable TLSv1.0 i adopted to below config, fortunately it
> cleared the scans but my site broke on Https: Reffered Link:
> http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-t
o-Tomcat-6-0-server-with-https-td4995362.html
>
>
= maxThreads="150" scheme="https" secure="true"
> keystoreFile="Keystore_Pathe" keystorePass="*"
> clientAuth="false" sslProtocol="TLSv1.1"
> sslEnabledProtocols="TLSv1.1" ciphers="All Ciphers excluding RC4
> Ciphers"
> />
=
>
> Please help me identify if i am missing on anything.
You were very close. You need:
sslProtocol="TLS" (the default)
and
sslEnabledProtocols="TLSv1.1"
or
sslEnabledProtocols="TLSv1.1,TLSv1.2"
Note that using a recent version of Tomcat should already disable
SSLv3 by default... you'd have to specifically re-enable it if you
wanted it.
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXhsRhAAoJEBzwKT+lPKRYX4QP/jQcDltnUNcFxDGhW27vk5W3
NNXUCLNT7dCVGF0Hp3bdGzibRfHJyNcFsjUBb62i1URrGs8ika4U52i0HWJj+Qkk
h/5dJFiqjRVzOTquNrW7Hubx5QHbMKX2atYc6x2TUHYfGuSJSrrzmdRtgYDyCt9k
j8uIQaZQdJItHUM/1wpEBaU0GOa7bwQYiuHqsZBEnhWdTH8UEbmlPzcxvNSrAbTy
QoSAPLPLU3yehAClu46pmEOhdfgn7vepW+RoqzFvtFAg5Eas3EKItsw22Hd5tItE
8S1A7Yw2uOQh/OoHyb3FPEFoPkfkDs3vXZIMG7wDJy8RmDdib3XMWN/di0BpBmSo
s52GqIHV8Qe0dPz6aTfrAsBGn0/JOmDj4eup0Igz0gmgjnRaMfgLJ/YqjBG9Gj8l
MHIU5SxifBLno9Pk2FSmykL0ZVTLjRLn7MEiP/8fN5C4nfKrWWQ7SXj3rAijEcVK
u2Q12cAPFaHolp56qXYJjfVA2NJCA+45/yJ0mI2PqlS5K7BMkbQWUX6tpMBri7Mz
5e7D16RMNOiP9/LafzHGWiEUTw3tDK0ATqQXbmcFmZylMgcPxjP4lRHlDa+2aviI
Ciyi1C0KOSWGTodPC+P76v0uVg8JO2QfG5ecoEgThLBug8AJL8HhRb5uW20wOj2Q
AG/xrV9Ja9a+OXgbRjne
=dKs3
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org