Re: cannot disable SSL v3 [SOLVED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Deepak, On 10/17/14 12:21 AM, dku...@ccilindia.co.in wrote: I have removed SSL [cipher] from my configuration. and its working. Please let me know is this correct way to solve this. I am running Tomcat 7.0.22 Connector port=443 maxThreads=150 scheme=https secure=true sslProtocol=TLS SSLEnabled=true ciphers= The OP said he was using APR. The above configuration does not appear to be for APR. The JSSE implementation of SSL has no problem with the various flavors of TLS, provided that you use the documentation to determine the appropriate configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQRpdAAoJEBzwKT+lPKRYuY8P/2ozjntnxl124rBD0dVWgGHh DQPtQnuE8JQlZA4uncGXYqlwVwDG+7KEy5TYo2Zy1O1Qh2JwDDKXssJN9jTYeerF brNCTUbyN0vhFJbOH9dRkBEpjHQITmN56khOOx/M9tKRuX6ExxNmw0kGLJ8x0hRb eVkwryyFvFKrLssLelJPn7V/bixk1kaimyE7fmOOwR4EJMC9u1wIFosfd2Z3U3i3 Ud6nBZxIKHHs+Afv9Fr4qgQzRFhqFyA1bgIT2U4sl1nj2lU57kYQX+E1xvKo9LsU 78ldMf/r5NeY416Me+uAlRTI3XmCosyu9jdanBcNEui/uNl27JDO4RiHuhjCn5Ug 5+J6rkxYtKwFsuE4dx72Wxmpj5DYQ+jpLV/nmckjal9Iu8S2JM4GXMzAF0CafsAz 3/YRB2Rwnz1FvFfAIh44brmyoPsWrj/2rpFSyN7tQp/fjbL89GxqDhNaQ7L7v1FM syt5bspLsyxukyaGp3V/1hyslgqZVip3Aqf0M0lpgRoToUp2XQ9zEOiOslwD1zwg vSDktZAjOGsHJrr91DfC4+1Ekd3jDPpbwbH4bxDJTjL8Rg9bR/S/rWGWNukAS829 B1tnyQ0l1H6zaU49vIQuHWL+SnAoHCHw6Fha3IglS7nIrFSutx/+Wlqv7j7SpJ7G lQq98Ei/6wjavXV6LmdW =fxqH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
I believe some village somewhere was missing somebody :) Reading the tomcat/apr doc (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) , I found that I have to use SSLProtocol instead of sslProtocol. After making that change, SSLv3 disappear. Thanks, Vu On 10/16/2014 08:32 AM, vu pham wrote: All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
On 10/16/2014 2:38 PM, Vu Pham wrote: I believe some village somewhere was missing somebody :) Reading the tomcat/apr doc (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) , I found that I have to use SSLProtocol instead of sslProtocol. Tomcat's case-sensitivity has bitten me more than once! After making that change, SSLv3 disappear. Thanks, Vu On 10/16/2014 08:32 AM, vu pham wrote: All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
Hello all, I have removed SSL cypher from my configuration. and its working. Please let me know is this correct way to solve this. I am running Tomcat 7.0.22 Connector port=443 maxThreads=150 scheme=https secure=true sslProtocol=TLS SSLEnabled=true ciphers= Thanks and regards Deepak On 10/16/2014 2:38 PM, Vu Pham wrote: I believe some village somewhere was missing somebody :) Reading the tomcat/apr doc (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) , I found that I have to use SSLProtocol instead of sslProtocol. Tomcat's case-sensitivity has bitten me more than once! After making that change, SSLv3 disappear. Thanks, Vu On 10/16/2014 08:32 AM, vu pham wrote: All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments.