FYI: My testing was done on 7.0.50. But from reading the Bugzilla entry on the issue, looks like we will need to wait on the next Tomcat 7 release. Checking the last updates now, though.
> -----Original Message----- > From: Mark Eggers [mailto:its_toas...@yahoo.com.INVALID] > Sent: Thursday, October 16, 2014 11:30 AM > To: Tomcat Users List > Subject: Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining > support for TLS 1.1 and TLS 1.2 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/16/2014 9:17 AM, Jeffrey Janner wrote: > > > > > >> -----Original Message----- From: Mark Eggers > >> [mailto:its_toas...@yahoo.com.INVALID] Sent: Wednesday, October > >> 15, 2014 11:57 AM To: Tomcat Users List Subject: Re: Disabling > >> SSLv3 with Tomcat ARP/Native but still retaining support for TLS > >> 1.1 and TLS 1.2 > >> > >> John, > >> > >> > >>> On Wednesday, October 15, 2014 6:20 AM, John Blaut > >> <john.bl...@gmail.com> wrote: > >>>> When SSLv3 is enabled, it seems TLS1.1 and TLS 1.2 are > >>>> supported > >> however. > >>> It seems strange that the SSLv3 option controls the > >>> availability of TLS1.1 and TLS1.2. > >>> > >>> Now that SSLv3 is considered insecure and more people start to > >>> disable it, I suppose many on APR/Native will encounter the > >>> same issue. Is there any way to preserve TLS1.1 & TLS1.2 whilst > >>> disabling SSLv3? > >>> > >>> Regards > >>> > >>> John > >>> > >> > >> From the Google blog post: > >> > >> Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is > >> sufficient to mitigate this issue, but presents significant > >> compatibility problems, even today. I run Apache HTTPD in front > >> of Tomcat servers, so I think it will be possible to disable the > >> second (CBC-mode ciphers with SSL 3.0). I haven't really read > >> the APR/Native SSL configuration carefully enough to know if this > >> is possible with Tomcat. > >> > >> As an aside, for the last 500K hits I've seen 37 requests that > >> have used CBC- mode ciphers with SSLv3. At least for the sites I > >> am concerned with disabling this does not seem to have > >> 'significant compatibility problems'. > >> > >>> > > > > Mark, The APR connector does allow us to specify the list of > > supported ciphers with the SSLCipherSuite parameter and also allows > > us to specify that the list is in a preferred order with the > > SSLHonorCipherOrder parameter. The list I am currently using comes > > from the Mozilla Wiki > > (https://wiki.mozilla.org/Security/Server_Side_TLS) which offers 3 > > different lists based on the browser compatibility that one > > requires. You should be able to disable the CBC ciphers in the list > > that you choose. However, according to OpenSSL's own research > > (https://www.openssl.org/~bodo/ssl-poodle.pdf), this attack really > > leaves us with no secure cipher suites for SSL 3.0, so disabling > > SSLv3 is the way to go. The problem arises in the implementation of > > the APR connector in Tomcat. While the native library supports and > > implements all versions of TLS when the "all" setting is used, > > there is no way to specify that you only want all the TLS > > protocols. If you specify TLSv1, you will only get TLSv1.0, and > > not the two newer protocols, and if you try to use the usual > > "TLSv1+TLSv1.1+TLSv1.2" you get an error. And on top of this, if > > you utilize the "intermediate" list found on the Mozilla Wiki, you > > end up with a list of TLS-only ciphers, but tools like Qualys will > > still ding you for having SSLv3.0 turned on at all, at not look at > > the list of ciphers. Jeff > > Jeff, > > Thanks for pointing to the original research. > > . . . off to read SSL papers > /mde/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJUP/J/AAoJEEFGbsYNeTwtgJEIAKOgt2Srt43+e+Jmns6DUd > yM > vfPR1jeefGhSq4ww1TO2Nmfhr2axXafrAGk//uIYSIDGhKvjc5enK6kHRDbSrR3I > 170rCdOIurrgtxoO99up1swmQMKTRlQv1SN1RKTOuN2BaoeIqvPFQ+qNcsxqI > QHD > jM7LfEiulHpyDXTBP1i+qb+c2ReX0FxcbjBuI+3+9DvEN+QMYrj+IP4A3Dcm4+Ld > i+iN/eEe3FuE8TVOb/VrPhnWrihqvZMtWwocnDltBW6OC4/2BzVM+MMp1giU > QC8w > jHQwbXVkHTffL5i/DiIW1lHBSWNFu5+0qoiGDobRotM4chXp678NfwJozbo2fkY > = > =3A77 > -----END PGP SIGNATURE----- > > --- > This email is free from viruses and malware because avast! Antivirus > protection is active. > http://www.avast.com > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
