Re: How-to disable SSL V3 on Tomcat 6.0.18.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jimmy, On 1/31/15 10:13 AM, Jammy Chen wrote: Hello Jason, Chris, Thanks for you answer and replying. I actually already tired that solution linked in the page https://access.redhat.com/solutions/1232233. but it does not work at all. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / How about protocols instead of sslProtocols? Yes, this is common problem whatever the tomcat version is, SSL V3 is not safe any more, however, newer tomcat has ready configuration/solution for disable V3. since I am still in old version so I am looking for solution for version Tomcat/6.0.18. but no good luck until now. I'm not sure why it's not disabling SSLv3 for you, but another option is to remove all of the ciphers that use CBC. There are a lot of other bad things in 6.0.18 and, probably, the versions of Java being used in these places. The proper mitigation is to upgrade, not to try to configure-around the problem. - -chris 2015-01-30 22:28 GMT+08:00 Christopher Schultz ch...@christopherschultz.net : Jason, On 1/30/15 4:32 AM, Jason Y wrote: Please refer to https://access.redhat.com/solutions/1232233 This link is /slightly/ out of date, in that it is missing more-recent information (i.e. support for TLSv1.1 and TLSv1.2 in tcnative versions after 1.1.21. By the way, why would you disable SSL? What is your current problem? I may have the same problem with tomcat 7.0.55... https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUznFoAAoJEBzwKT+lPKRYKE4QAKaKhTPd6ymJbPwsihKREaIW wdUOQysiNj3H+nFvLwILt0PES+2VGjdhLaPTmMPDOBWTbMiBNhv6yXZeFUQ6MkAE +7CCoGqFvse3DY/iBdriqtSH/o/99/jSmCIpVmPwLNfRZjO7t2QSb8y+q0ttuimL wtpRaFM8yWyOf3chgFFyhMmFePT0B6bvinRzde631IcmHJfMIO2etkEBHfDGas22 Q8bzppjk/YGM+3FB1yr/sttWGQZRJD1lGJQjdR/dTg2ajgAHRt6P0JvarzAhGVIY MgGDdp2k85R67gSli5nkvxsfOaFHRWxZA87jQQiWX6QQe+G0Wpq7KaEPbU3rFWx2 Kw6eZwBYn97ads7G3XgkvOc8AZt1FwuP8UAFniuZhAdEeZFMdp4Ka6itMmba//hv cR/+WZ5REZvhA2H2NgfQ+yipDSK0BZCbp/RVz0CnkthTPutwIc5rZs460Vh3sUMI nXhLo2AcRzyo1N994E0xXHB0PKTu3UFKefiMuHQ1FFfo42QSHU9DMRn1Xg9f3eI3 TR1dOaONfw35pmJ8UTKvFoFr9Ci5rO0pwYWIDsztGjci47bysyvdEcnsi353asiu YUYQgaf8XQO946SnVDubyadWbz3A7bJh48rGUS9b9/hMoppep5k5XKaTcw6xfsEh ApCYkxDOIVvfHHRsyPvp =yo3D -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
Hello Jason, Chris, Thanks for you answer and replying. I actually already tired that solution linked in the page https://access.redhat.com/solutions/1232233. but it does not work at all. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / Yes, this is common problem whatever the tomcat version is, SSL V3 is not safe any more, however, newer tomcat has ready configuration/solution for disable V3. since I am still in old version so I am looking for solution for version Tomcat/6.0.18. but no good luck until now. 2015-01-30 22:28 GMT+08:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/30/15 4:32 AM, Jason Y wrote: Please refer to https://access.redhat.com/solutions/1232233 This link is /slightly/ out of date, in that it is missing more-recent information (i.e. support for TLSv1.1 and TLSv1.2 in tcnative versions after 1.1.21. By the way, why would you disable SSL? What is your current problem? I may have the same problem with tomcat 7.0.55... https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy5T+AAoJEBzwKT+lPKRYdBEQALUAXjY5wZHglrUU7vVQ00qd I1vdAhY5X6VXhfesK+cHYFdzIkedq15O+2J0MNY5G+SivUPXvWw1xd2VIflpsfCp VBf6/d3qHVRwmyAdYHWRtP6CRyWfvYY24YO/UO5EuD4Uellrr5DVEeZvfMnyuZJf IqnZ4NphqVNtar+EUkZ5FH1TyiVVDGmReZcEtLEA8Y2WJGUzcloALRoUMq8dmPQJ 4u38hDH/K0CpTsoxgQQJBtppFxxbK6c4klsTQO/eWZohSngL8JF0jPKiYjr3RFV6 4bT/2DNaoTENUiB8+9qLiGdWhRUofs8qM2/WXo4/Z4eekMSaqFCtRtW5gfelgIhn D750yqJZtycz+7X+jpnM2724SE3cPc2DxCXZ4mYGG2bH+LAi2bUOBkJYnhUbNpUB mtEkePXFgBjl4luP57w0+hIohH09q5E6a4206uQzN+0+MFgVtWu3498Ys9OSBO1q fMaiOk1vvcH3MELuOnseyKA3YyR2AppttQHp+6YJ7YePNx3EuewAoOEBLo2hP5tF zH4Uu1cUSRe/HSdsnwglHw/xzE9QOn5bc6s5lne0Y9E+8+CP+9cJcFV7D6dA6fDB ul0cuFbIoyHu2VhUmtnDvuxNS6/xgTy3Nioc0G6jdOTaqR7AxhQx/vyaruN+dGK+ w1vZbFCCmCe2toKLWdPy =D+1m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jason, On 1/30/15 4:32 AM, Jason Y wrote: Please refer to https://access.redhat.com/solutions/1232233 This link is /slightly/ out of date, in that it is missing more-recent information (i.e. support for TLSv1.1 and TLSv1.2 in tcnative versions after 1.1.21. By the way, why would you disable SSL? What is your current problem? I may have the same problem with tomcat 7.0.55... https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy5T+AAoJEBzwKT+lPKRYdBEQALUAXjY5wZHglrUU7vVQ00qd I1vdAhY5X6VXhfesK+cHYFdzIkedq15O+2J0MNY5G+SivUPXvWw1xd2VIflpsfCp VBf6/d3qHVRwmyAdYHWRtP6CRyWfvYY24YO/UO5EuD4Uellrr5DVEeZvfMnyuZJf IqnZ4NphqVNtar+EUkZ5FH1TyiVVDGmReZcEtLEA8Y2WJGUzcloALRoUMq8dmPQJ 4u38hDH/K0CpTsoxgQQJBtppFxxbK6c4klsTQO/eWZohSngL8JF0jPKiYjr3RFV6 4bT/2DNaoTENUiB8+9qLiGdWhRUofs8qM2/WXo4/Z4eekMSaqFCtRtW5gfelgIhn D750yqJZtycz+7X+jpnM2724SE3cPc2DxCXZ4mYGG2bH+LAi2bUOBkJYnhUbNpUB mtEkePXFgBjl4luP57w0+hIohH09q5E6a4206uQzN+0+MFgVtWu3498Ys9OSBO1q fMaiOk1vvcH3MELuOnseyKA3YyR2AppttQHp+6YJ7YePNx3EuewAoOEBLo2hP5tF zH4Uu1cUSRe/HSdsnwglHw/xzE9QOn5bc6s5lne0Y9E+8+CP+9cJcFV7D6dA6fDB ul0cuFbIoyHu2VhUmtnDvuxNS6/xgTy3Nioc0G6jdOTaqR7AxhQx/vyaruN+dGK+ w1vZbFCCmCe2toKLWdPy =D+1m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
Hi Jammy, Please refer to https://access.redhat.com/solutions/1232233 When using Tomcat with the JSSE connectors, the SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml. The following example shows how the sslProtocol in an https connector is configured. Tomcat 5 and 6 (prior to 6.0.38) Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 / Tomcat 6 (6.0.38 and later) and 7 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols = TLSv1,TLSv1.1,TLSv1.2 / If the sslEnabledProtocols or sslProtocols attributes are specified, only protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance e.g. Oracle Java 6 and Oracle Java 7. By the way, why would you disable SSL? What is your current problem? I may have the same problem with tomcat 7.0.55... On Fri, Jan 30, 2015 at 2:44 PM, Terence M. Bandoian tere...@tmbsw.com wrote: On 1/29/2015 10:02 AM, Jammy Chen wrote: Hello Chuck, Thanks for replying, I understood this is old, our product has already upgraded to latest version, but somehow, some of our users are still in such old stage, they do not plan uptake now but they want disable SSL V3 as everybody know this is big security vulnerability. *so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0? I cannot find the solution* Jammy 2015-01-29 22:00 GMT+08:00 Caldarale, Charles R chuck.caldar...@unisys.com : From: Jammy Chen [mailto:jamm...@gmail.com] Subject: How-to disable SSL V3 on Tomcat 6.0.18.0 Do everybody knows how-to disable SSL v3 in older tomcat version Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Yes - move up to a current level and read the docs. Seriously, if you're using a Tomcat of that vintage (this one is more than 6.5 years old), you have a lot more security issues to worry about than SSLv3. It's irresponsible not to upgrade. OS Name:Windows 2003 A few months from end-of-life. JVM Version:1.6.0-b105 Two years past end-of-life. Is there a pattern here? - Chuck Hi, Jammy- I'd suggest downloading Tomcat 6.0.18 which includes the then-current documentation. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How-to disable SSL V3 on Tomcat 6.0.18.0
Hello team, Do everybody knows how-to disable SSL v3 in older tomcat version, I have tried to variety solution including sslProtocols or sslEnabledProtocols but it both did not work well, the Firefox I am using to test is only select TLS 1 and result is that I were not able to access the site. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1,TLSv1.1,TLSv1.2 keystoreFile=keystore.jks keystorePass=a123 keyAlias=sslkey / Below is the server information: Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Server number: 6.0.18.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0-b105 JVM Vendor: Sun Microsystems Inc Thanks
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jammy, On 1/29/15 11:02 AM, Jammy Chen wrote: Thanks for replying, I understood this is old, our product has already upgraded to latest version, but somehow, some of our users are still in such old stage, they do not plan uptake now but they want disable SSL V3 as everybody know this is big security vulnerability. *so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0? I cannot find the solution* Okay, here's the deal: from your perspective, the documentation on Tomcat's site is all out-of-date (into the future) because you (or your customers) are using an ancient version of Tomcat. The best solution is to tell your customers that you don't support your own product on that version of Tomcat any longer. I love that line of crap when it works to my advantage. Anyhow... The sslEnabledProtocols configuration attribute was added in Tomcat 6.0.38, well after your 6.0.18 version. Before that, it was called sslProtocols and/or protocols. Give those a try. (Also, there was a bug in the NIO HTTPS connector specifically that it does not recognize the sslEnabledProtocols configuration attribute, but that bug was introduced along with sslEnabledProtocols in 6.0.38 and fixed in 6.0.43, so the whole thing is moot as far as you are concerned. The protocols attribute should work.) I posted some code to this mailing list a while back that will probe a server to discover that types of connections and ciphers it will accept. When you configure your server, consider trying that to see what kinds of connections are possible. Note that it's limited to what version of Java you are using *for the client* as well as the server. So, with Java 1.6, you will not likely have TLS 1.2 available, and many ciphers that the server may support under a newer JVM might not be available in 1.6. I would recommend running the latest Java version you can for the client in this case, because it will be able to try the most options against the server. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUynVWAAoJEBzwKT+lPKRY2lcP/jLvNreb+aY00YhgzAq+Ipii C9lm3lnewamy7dGUGEWE8vgV4Yu5tyzGeb0j6uRvBnHKdp+XEjRfnAuxh1Mx5bqa byw8Fa5rfQ4TbCg5oTZZ3pGAsrBdLZp11P3O3Pxs/oSuzkWObHAlo9VGXaL0oXFB FGgVwZfush/8lfBcF7hRl9tP/QE8/FlVyulKac6BVKdY2Os0crfrLpWyf0N+N2Xh TEgFkwraCdfjy/La2Cudp899k8s/JYq2kRsgRTQ/apYHtbIzCf2B5I32wC0VudOC 9eI3wPnYiM8aR940W5L37cTgDqls+tiifzcodvhyWfO+SiuEayaAJG6KuyIpYFBn ZdDMLcIiA4om+nZcbn1w2n3Hi8VxaPryxHt75Ak9n8FsqSGuEop29cDanbKYJU6P OuK2sAalT6uZCy2GvV/3xGoD7kkvHWmsngsblGSR19nfLr/Y8eS20jho+3YI+pjy hyprA5uKxJAz07iGklx98jq3d33529+FP8jUYtJuP+8jyQenpFhsWd3k6Oh6DeFB MNHU04x7cqOSvtBN+yBe1ZLZVJlEP9eMMVRFpfZwb97I27bxL13FG9IWiMYmMBVj OVaVbm8FqaMtDCjzj36z2PWPLouDRs2kcaEHNYIzp8rsQ9GD0tJTmkxG6XUFDazi cU/f8sS7how+TLnmKycX =nABr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How-to disable SSL V3 on Tomcat 6.0.18.0
From: Jammy Chen [mailto:jamm...@gmail.com] Subject: How-to disable SSL V3 on Tomcat 6.0.18.0 Do everybody knows how-to disable SSL v3 in older tomcat version Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Yes - move up to a current level and read the docs. Seriously, if you're using a Tomcat of that vintage (this one is more than 6.5 years old), you have a lot more security issues to worry about than SSLv3. It's irresponsible not to upgrade. OS Name:Windows 2003 A few months from end-of-life. JVM Version:1.6.0-b105 Two years past end-of-life. Is there a pattern here? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
Hello Chuck, Thanks for replying, I understood this is old, our product has already upgraded to latest version, but somehow, some of our users are still in such old stage, they do not plan uptake now but they want disable SSL V3 as everybody know this is big security vulnerability. *so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0? I cannot find the solution* Jammy 2015-01-29 22:00 GMT+08:00 Caldarale, Charles R chuck.caldar...@unisys.com : From: Jammy Chen [mailto:jamm...@gmail.com] Subject: How-to disable SSL V3 on Tomcat 6.0.18.0 Do everybody knows how-to disable SSL v3 in older tomcat version Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Yes - move up to a current level and read the docs. Seriously, if you're using a Tomcat of that vintage (this one is more than 6.5 years old), you have a lot more security issues to worry about than SSLv3. It's irresponsible not to upgrade. OS Name:Windows 2003 A few months from end-of-life. JVM Version:1.6.0-b105 Two years past end-of-life. Is there a pattern here? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How-to disable SSL V3 on Tomcat 6.0.18.0
On 1/29/2015 10:02 AM, Jammy Chen wrote: Hello Chuck, Thanks for replying, I understood this is old, our product has already upgraded to latest version, but somehow, some of our users are still in such old stage, they do not plan uptake now but they want disable SSL V3 as everybody know this is big security vulnerability. *so now the important thing is how I can disable SSL V3 on Tomcat 6.0.18.0? I cannot find the solution* Jammy 2015-01-29 22:00 GMT+08:00 Caldarale, Charles R chuck.caldar...@unisys.com : From: Jammy Chen [mailto:jamm...@gmail.com] Subject: How-to disable SSL V3 on Tomcat 6.0.18.0 Do everybody knows how-to disable SSL v3 in older tomcat version Server version: Apache Tomcat/6.0.18 Server built: Jul 22 2008 02:00:36 Yes - move up to a current level and read the docs. Seriously, if you're using a Tomcat of that vintage (this one is more than 6.5 years old), you have a lot more security issues to worry about than SSLv3. It's irresponsible not to upgrade. OS Name:Windows 2003 A few months from end-of-life. JVM Version:1.6.0-b105 Two years past end-of-life. Is there a pattern here? - Chuck Hi, Jammy- I'd suggest downloading Tomcat 6.0.18 which includes the then-current documentation. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
