Thu, Mar 09, at 09:19:PM : Bill Barker has proclaimed:
> "Jeff Krug" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Is there a way to disallow the SSL 3.0 protocol?
> >
>
> protocols="TLS" on the <Connector /> tag.
I added this, but it did not seem to alter the behavior. Here is my
connector tag:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" protocols="TLS"
keystoreType="PKCS12"
keystoreFile="Path:\MyKeyStore.p12"
keystorePass="######"
/>
I can still connect using the SSL 3.0 protocol. I don't see a protocols
option listed anywhere in the Tomcat docs on Apache.org either. Should
this work?
I am testing this with openssl on a Linux machine with this command:
$openssl s_client -ssl3 -connect My_Tomcat_Hostname:443
<cut all the certificate passing>
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: <snippd for length>
Session-ID-ctx:
Master-Key: <snipped for length>
Key-Arg : None
Start Time: 1142004945
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
When I don't force the client on the Linux side to request ssl3, the
protocol specified above is TLSv1 as I want.
It seems like most products kind of blur the boundaries between TLS and
SSL3 (for example that first line above says TLSv1/SSLv3 as if they are
the same thing). I guess they are nearly identical, but unfortunately
I still need to figure this out.
Any further ideas for what I can try?
Thanks,
Jeff Krug
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
