Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Security/POODLE" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/Security/POODLE?action=diff&rev1=1&rev2=2 Comment: Add note on sslEnabledProtocols for Tomcat 6. Add configuration for Apr connector. Disabling SSL v3 on either client side or server side will mitigate this vulnerability. + === JSSE-based connectors (Bio, Nio, Nio2) === + - To disable SSL v3, and enable all TLS protocols plus SSLv2Hello pseudo-protocol on JSSE connectors add the following attributes to your connector configuration in server.xml: + To disable SSL v3, and enable all TLS protocols on JSSE connectors add the following attributes to your HTTPS connector configuration in server.xml: + + sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" + + The same, plus SSLv2Hello pseudo-protocol: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" - - The same thing could be done on APR connector using following attributes: - TODO + Notes: + * Allowed values for ''sslEnabledProtocols'' attribute may be found in JVM documentation as the values for method `SSLSocket.setEnabledProtocols()`. Links to Oracle JDK documentation: [[http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames|Java 7]], [[http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#jssenames|Java 8]]. + * In old versions of Tomcat 6 the name of configuration attribute for Bio connector was ''protocols''. It is ''sslEnabledProtocols'' since Tomcat 6.0.39 onwards. + * The ''sslEnabledProtocols'' attribute has no effect on Nio connector in Tomcat 6.0.39 - 6.0.41 because of [[https://issues.apache.org/bugzilla/show_bug.cgi?id=57102|bug 57102]]. It will be fixed in 6.0.43. + + === APR-based connector (Apr) === + + To disable SSL v3, and enable TLSv1 protocol on APR connector add the following attribute to your HTTPS connector configuration in server.xml: + + SSLProtocol="TLSv1" + + To enable TLSv1, TLSv1.1, TLSv1.2 protocols the setting will be the following - ('''Note''': the "TLSv1.1", "TLSv1.2" values require Tomcat Native 1.1.32 and a version of Tomcat that supports it. Those have not yet been released at the time of this writing, but are expected soon. See [[https://issues.apache.org/bugzilla/show_bug.cgi?id=53952|bug 53952]] for progress): + + SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" == On-line testing tools == --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
