-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
There have been some questions lately about how to re-enable SSLv3 on Tomcat and I just went through the trouble of trying to get it to work in my own environment for some protocol testing. While there were a few bugs fixed over the past few months in Tomcat vis-a-vis configuring which protocols should be enabled, etc., those appear to be completely fixed. But, when I first tried, I could not get Tomcat to use SSLv3. I tried a few silly changes to configuration and nothing helped. It seems Tomcat isn't the problem. It turns out that Oracle has disabled SSLv3 in both Java 7 (in 7u75) and Java 8 (in 8u31), and you have to do some work to re-enable it. Java 7 release notes containing an explanation: http://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html Java 8 release notes containing an explanation: http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html The tl;dr is that if you create a java.security.properties file, you can override the system configuration of this setting. First, create a file that contains only the following: === CUT === jdk.tls.disabledAlgorithms=true === CUT === Now, add this to your CATALINA_OPTS (or other JVM invocation): -Djava.security.properties=/path/to/above/file Now, you'll be able to use SSLv3 again. But, of course, you shouldn't be using it, so why would you? Also remember that the disabling of SSLv3 is for both server and client sockets, so if you want to connect to a server using SSLv3, you'll need to use the same trick to allow the /client/ to use SSLv3 as well as the server. This is the part that confused me, because, since I was using a Java client, my observations were that neither the JSSE-based nor the OpenSSL-based connectors would "work" with SSLv3. The problem of course was the client. Once I got that sorted, I was able to connect to both. To drive-home the point: SSLv3 works without any of the foolishness above if you are using the APR connector, because OpenSSL hasn't disabled SSLv3 in general. Your OpenSSL provider (Linux distribution, etc.) may determine that SSLv3 should be disabled, but that's another matter. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU47PxAAoJEBzwKT+lPKRYD0QP/RSb8dcULSPGXKfAdLdaDcjP ZG7Cc336fMt56N0+87DSS7U1BxeDBDNNq16Yrbmp9lQc2npmkyddkVhIXWVYr/o4 pq6NB0eIpZC1kly+uBdqS0PdSe8QdxNjz+Lb4HTkrxwt7gtuDrZ6mzb1Ll50jPds QdSCu5ffnrEPngQE7FPIpkuASzLqSiJpfsZAyByTOtdkZUw1jM/sN1CV+GmlxTbl DHPxhp0n9EQvrsk7e5+ID2g5YOIlFHMMvP58d6CPHbtAZJubMg8arnuhYUGa7Jn2 dfn6po8azlHq4G63SRFGzfAQ7F/yFUEZ5kOfSbQirUm03yiSsjVvM3pJ0z52opuC QVGA/N9HQ+gSF8m9VmINOPj3J1hXV5zqD6SAaUndBWq5KH+22CLBPsqLZkevf/H8 3F2TemW+Wg06hP3cyH3XovPV6Wu5f5jp9OXqZseZCWZT5nJFWqmFoyRC89zQFzC+ AfhM3WyMhpVaziBCCP2RZC1HL6b9iiEHjbCl269rpTq4ZK+CNGMKL0lzvltgHqwX kknsUWalPV4T6TJ+dgbL6+/HeDO1PMQO/16sjxNQvgKboRHgYCy5Cm5zB747HJSZ tl8kBdRs0/pUmGtVVtuWl6DG2H8TrmeaumZX0OLkIeaZUhiHKsPZTHc0KH6KkCD9 8NGlmr14pSW0ARa7VkxO =RTpS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
