Re: Cannot disable SSL v3
Deepak, On 17.10.2014 19:13, dku...@ccilindia.co.in wrote: How can I know which protocol support my JVM. We are using java1.7.0_40 Take a look at: https://wiki.apache.org/tomcat/Security/POODLE Please let us know is any turnaround in my server.xml configuration to disable SSL v3. Please read cerfully the above wiki entry, and what Chris alredy wrote, and send us your updated connector configuration. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Deepak, On 10/17/14 12:21 AM, dku...@ccilindia.co.in wrote: I have removed SSL [cipher] from my configuration. and its working. Please let me know is this correct way to solve this. I am running Tomcat 7.0.22 Connector port=443 maxThreads=150 scheme=https secure=true sslProtocol=TLS SSLEnabled=true ciphers= The OP said he was using APR. The above configuration does not appear to be for APR. The JSSE implementation of SSL has no problem with the various flavors of TLS, provided that you use the documentation to determine the appropriate configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQRpdAAoJEBzwKT+lPKRYuY8P/2ozjntnxl124rBD0dVWgGHh DQPtQnuE8JQlZA4uncGXYqlwVwDG+7KEy5TYo2Zy1O1Qh2JwDDKXssJN9jTYeerF brNCTUbyN0vhFJbOH9dRkBEpjHQITmN56khOOx/M9tKRuX6ExxNmw0kGLJ8x0hRb eVkwryyFvFKrLssLelJPn7V/bixk1kaimyE7fmOOwR4EJMC9u1wIFosfd2Z3U3i3 Ud6nBZxIKHHs+Afv9Fr4qgQzRFhqFyA1bgIT2U4sl1nj2lU57kYQX+E1xvKo9LsU 78ldMf/r5NeY416Me+uAlRTI3XmCosyu9jdanBcNEui/uNl27JDO4RiHuhjCn5Ug 5+J6rkxYtKwFsuE4dx72Wxmpj5DYQ+jpLV/nmckjal9Iu8S2JM4GXMzAF0CafsAz 3/YRB2Rwnz1FvFfAIh44brmyoPsWrj/2rpFSyN7tQp/fjbL89GxqDhNaQ7L7v1FM syt5bspLsyxukyaGp3V/1hyslgqZVip3Aqf0M0lpgRoToUp2XQ9zEOiOslwD1zwg vSDktZAjOGsHJrr91DfC4+1Ekd3jDPpbwbH4bxDJTjL8Rg9bR/S/rWGWNukAS829 B1tnyQ0l1H6zaU49vIQuHWL+SnAoHCHw6Fha3IglS7nIrFSutx/+Wlqv7j7SpJ7G lQq98Ei/6wjavXV6LmdW =fxqH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Cannot disable SSL v3
Dear All, Below is my configuration in server.xml file of tomcat 7.0.22. Connector className =org.apache.catalina.connector.http.HttpConnector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true allowUnsafeLegacyRenegotiation=false ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA keystoreFile=*** keystorePass=*** server= Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ /Connector I tried with below changes. 1. sslProtocol changed to SSLProtocol 2. Removed SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher from ciphers 3. sslProtocol =TLS changed to sslProtocol =TLSv1 But still unable to disable SSL v3 Any help will be appreciated. Thanks and Regards Deepak Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments.
Re: Cannot disable SSL v3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Deepak, On 10/17/14 11:58 AM, dku...@ccilindia.co.in wrote: Below is my configuration in server.xml file of tomcat 7.0.22. Upgrade. Connector className =org.apache.catalina.connector.http.HttpConnector No such class exists. Which connector are you actually using? A Java connector or the native connector? port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS Use of sslProtocol indicates that you are using a Java connector. SSLEnabled=true allowUnsafeLegacyRenegotiation=false ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA Use of ciphers indicates that you are using a Java connector. Please see the documentation for the HTTP connector: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html The sslProtocol attribute is documented to use JVM-defined strings. You will need to see what protocols are supported by your JVM. keystoreFile=*** keystorePass=*** server= Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ Why are you configuring an SSLServerSocketFactory here? I don't believe that is even a valid configuration. /Connector I tried with below changes. 1. sslProtocol changed to SSLProtocol sslProtocol is for Java connectors while SSLProtocol is for the native connector. 2. Removed SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher from ciphers This configures a single cipher and not a protocol. 3. sslProtocol =TLS changed to sslProtocol =TLSv1 But still unable to disable SSL v3 Did you restart? What were the results? How did you test? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQUnZAAoJEBzwKT+lPKRYgmYP/3PG61mtnazM/ghZNYV/u0zo CCvWlNaYWjrIEg25o/IvOTnTOhKmyfOkYnJ/9CrTtA8qrrhOnPZQl5wSfYpHWRVS rpIbMy3IuPRqRhugDCmwFeGWZW2PtHagSPj+M8BrYjnthVlHcxDJil5qvDtf+DVu 2iH5VWODtBGHvouQ4OSm/R+1dzmwcgeQrQuTRuhTxfw0+Li+aKG9uAzULECZhwac rI7ziFGNTRXYneSNjRd8HA9zcG0onHJu9iQadBHyjeX1tMiC3zQqvQGgml9djAGL Nv6kyIAQrgwr2Ru79ONWUz3KGllDQMoBrgHHNJHLx0KrFNl9/NfdMOT/+L70YpEB XPnRfVIadmSfNU2bqlpQu6aaU/B5aQhL4LErcgK5njhF2GT7Ed95MYihYDh3BYnR vtv0Ccx6Sa2Mv8ZKm4evo30Epv9SMp4Y2Y+G+Hws78zJoCbVVa8W9juLolQ3iJhT 5w93x+AaXIDGkqr5xBKqEFCUirAIJZNyNmAh/ponTTPyPZS7uJ7Iqnu+So0WTqyt UwNurdQ1cdGqfdaIlS1S/sam0oxEF4UQ0X5CCEQjnbj8DeMBRgiFd35qhQvhTJpH A92dI9NyHpLVYTf39D7VEu3KbNPr5f1t1ClUaRrmKRzPj9FbS+TSYP+7bp01CcNr x0CXTAdCXQlq3P9eon3h =JTST -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot disable SSL v3
Dear Chris Thanks for your reply How can I know which protocol support my JVM. We are using java1.7.0_40 I have tested with https://www.ssllabs.com/ssltest/index.html Please let us know is any turnaround in my server.xml configuration to disable SSL v3. Thanks and Regards Deepak -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Deepak, On 10/17/14 11:58 AM, dku...@ccilindia.co.in wrote: Below is my configuration in server.xml file of tomcat 7.0.22. Upgrade. Connector className =org.apache.catalina.connector.http.HttpConnector No such class exists. Which connector are you actually using? A Java connector or the native connector? port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS Use of sslProtocol indicates that you are using a Java connector. SSLEnabled=true allowUnsafeLegacyRenegotiation=false ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA Use of ciphers indicates that you are using a Java connector. Please see the documentation for the HTTP connector: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html The sslProtocol attribute is documented to use JVM-defined strings. You will need to see what protocols are supported by your JVM. keystoreFile=*** keystorePass=*** server= Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ Why are you configuring an SSLServerSocketFactory here? I don't believe that is even a valid configuration. /Connector I tried with below changes. 1. sslProtocol changed to SSLProtocol sslProtocol is for Java connectors while SSLProtocol is for the native connector. 2. Removed SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher from ciphers This configures a single cipher and not a protocol. 3. sslProtocol =TLS changed to sslProtocol =TLSv1 But still unable to disable SSL v3 Did you restart? What were the results? How did you test? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQUnZAAoJEBzwKT+lPKRYgmYP/3PG61mtnazM/ghZNYV/u0zo CCvWlNaYWjrIEg25o/IvOTnTOhKmyfOkYnJ/9CrTtA8qrrhOnPZQl5wSfYpHWRVS rpIbMy3IuPRqRhugDCmwFeGWZW2PtHagSPj+M8BrYjnthVlHcxDJil5qvDtf+DVu 2iH5VWODtBGHvouQ4OSm/R+1dzmwcgeQrQuTRuhTxfw0+Li+aKG9uAzULECZhwac rI7ziFGNTRXYneSNjRd8HA9zcG0onHJu9iQadBHyjeX1tMiC3zQqvQGgml9djAGL Nv6kyIAQrgwr2Ru79ONWUz3KGllDQMoBrgHHNJHLx0KrFNl9/NfdMOT/+L70YpEB XPnRfVIadmSfNU2bqlpQu6aaU/B5aQhL4LErcgK5njhF2GT7Ed95MYihYDh3BYnR vtv0Ccx6Sa2Mv8ZKm4evo30Epv9SMp4Y2Y+G+Hws78zJoCbVVa8W9juLolQ3iJhT 5w93x+AaXIDGkqr5xBKqEFCUirAIJZNyNmAh/ponTTPyPZS7uJ7Iqnu+So0WTqyt UwNurdQ1cdGqfdaIlS1S/sam0oxEF4UQ0X5CCEQjnbj8DeMBRgiFd35qhQvhTJpH A92dI9NyHpLVYTf39D7VEu3KbNPr5f1t1ClUaRrmKRzPj9FbS+TSYP+7bp01CcNr x0CXTAdCXQlq3P9eon3h =JTST -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments.
cannot disable SSL v3
All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
I believe some village somewhere was missing somebody :) Reading the tomcat/apr doc (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) , I found that I have to use SSLProtocol instead of sslProtocol. After making that change, SSLv3 disappear. Thanks, Vu On 10/16/2014 08:32 AM, vu pham wrote: All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
On 10/16/2014 2:38 PM, Vu Pham wrote: I believe some village somewhere was missing somebody :) Reading the tomcat/apr doc (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) , I found that I have to use SSLProtocol instead of sslProtocol. Tomcat's case-sensitivity has bitten me more than once! After making that change, SSLv3 disappear. Thanks, Vu On 10/16/2014 08:32 AM, vu pham wrote: All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: cannot disable SSL v3 [SOLVED]
Hello all, I have removed SSL cypher from my configuration. and its working. Please let me know is this correct way to solve this. I am running Tomcat 7.0.22 Connector port=443 maxThreads=150 scheme=https secure=true sslProtocol=TLS SSLEnabled=true ciphers= Thanks and regards Deepak On 10/16/2014 2:38 PM, Vu Pham wrote: I believe some village somewhere was missing somebody :) Reading the tomcat/apr doc (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) , I found that I have to use SSLProtocol instead of sslProtocol. Tomcat's case-sensitivity has bitten me more than once! After making that change, SSLv3 disappear. Thanks, Vu On 10/16/2014 08:32 AM, vu pham wrote: All, I am running tomcat 7.0.26 with APR on RHEL 5.10 (x86_64) . My server.xml 's configuration for the https connector is as follows: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLCertificateKeyFile=/u01/apache-tomcat-7.0.26/conf/servey_xxx.key SSLCertificateFile=/u01/apache-tomcat-7.0.26/conf/server_xxx.crt SSLCACertificateFile=/u01/apache-tomcat-7.0.26/conf/SSL123_CA_Bundle.pem / I also tried sslProtocol with different values of TLS, TLSv1.1, and TLSv1.2, but the ssl tests such the ones from SSLLabs or Thawte claim that my server still has SSLv3 enabled. Any advice is greatly appreciated. Thanks, Vu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments.
