Re: Disable SSLv3 & TLSv1.0 in Tomcat 7

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Varun,

On 7/8/16 2:16 AM, varun gulati wrote:
> Hello Team, Since past few days i have been struggling with
> disabling TLSv1.0 in my Tomcat configuration. Here is the content
> of my server.xml file. I was able to disable SSLv3, and things were
> working fine but somehow not able to disable TLSv1.0. Really
> appreciate your suggestions on how to resolve this vulnerability
> Disabled SSLv3 with below
> config:===
=
>
> 
 maxThreads="150" scheme="https" secure="true" 
> keystoreFile="Keystore_Pathe" keystorePass="*" 
> clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
> ciphers="All Ciphers excluding RC4 Ciphers" /> 
> 
>
>  To disable TLSv1.0 i adopted to below config, fortunately it
> cleared the scans but my site broke on Https: Reffered Link:
> http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-t
o-Tomcat-6-0-server-with-https-td4995362.html
>
> 
= maxThreads="150" scheme="https" secure="true" 
> keystoreFile="Keystore_Pathe" keystorePass="*" 
> clientAuth="false" sslProtocol="TLSv1.1"
> sslEnabledProtocols="TLSv1.1" ciphers="All Ciphers excluding RC4
> Ciphers"
> />
=
>
>  Please help me identify if i am missing on anything.

You were very close. You need:

sslProtocol="TLS" (the default)

and

sslEnabledProtocols="TLSv1.1"
or
sslEnabledProtocols="TLSv1.1,TLSv1.2"

Note that using a recent version of Tomcat should already disable
SSLv3 by default... you'd have to specifically re-enable it if you
wanted it.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXhsRhAAoJEBzwKT+lPKRYX4QP/jQcDltnUNcFxDGhW27vk5W3
NNXUCLNT7dCVGF0Hp3bdGzibRfHJyNcFsjUBb62i1URrGs8ika4U52i0HWJj+Qkk
h/5dJFiqjRVzOTquNrW7Hubx5QHbMKX2atYc6x2TUHYfGuSJSrrzmdRtgYDyCt9k
j8uIQaZQdJItHUM/1wpEBaU0GOa7bwQYiuHqsZBEnhWdTH8UEbmlPzcxvNSrAbTy
QoSAPLPLU3yehAClu46pmEOhdfgn7vepW+RoqzFvtFAg5Eas3EKItsw22Hd5tItE
8S1A7Yw2uOQh/OoHyb3FPEFoPkfkDs3vXZIMG7wDJy8RmDdib3XMWN/di0BpBmSo
s52GqIHV8Qe0dPz6aTfrAsBGn0/JOmDj4eup0Igz0gmgjnRaMfgLJ/YqjBG9Gj8l
MHIU5SxifBLno9Pk2FSmykL0ZVTLjRLn7MEiP/8fN5C4nfKrWWQ7SXj3rAijEcVK
u2Q12cAPFaHolp56qXYJjfVA2NJCA+45/yJ0mI2PqlS5K7BMkbQWUX6tpMBri7Mz
5e7D16RMNOiP9/LafzHGWiEUTw3tDK0ATqQXbmcFmZylMgcPxjP4lRHlDa+2aviI
Ciyi1C0KOSWGTodPC+P76v0uVg8JO2QfG5ecoEgThLBug8AJL8HhRb5uW20wOj2Q
AG/xrV9Ja9a+OXgbRjne
=dKs3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Disable SSLv3 & TLSv1.0 in Tomcat 7

[varun gulati]

Hello Team,
Since past few days i have been struggling with disabling TLSv1.0 in my Tomcat 
configuration. Here is the content of my server.xml file. I was able to disable 
SSLv3, and things were working fine but somehow not able to disable TLSv1.0. 
Really appreciate your suggestions on how to resolve this vulnerability 
Disabled SSLv3 with below 
config:



To disable TLSv1.0 i adopted to below config, fortunately it cleared the scans 
but my site broke on Https:
Reffered Link: 
http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-to-Tomcat-6-0-server-with-https-td4995362.html
==

Please help me identify if i am missing on anything.

Thanks and Regards,Varun Gulati