Problem enabling SSLv3 in Tomcat 8.5.15

Marc Dorsa Tue, 20 Jun 2017 16:35:26 -0700

Hi Tomcat Users,

I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 
3rd-party component of our product requires SSLv3 and there's no getting around 
it!)  Our Tomcat is running on a custom Linux distribution based on Centos 7, 
and we're running Java 1.8.0_131.  Note that I've already (and correctly) 
enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled 
when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect 
server.xml configuration (for Tomcat 8), but the Tomcat documentation 
(https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I 
read it, seems to say that simply setting the "protocols" attribute of the 
SSLHostConfig element to include "SSLv3" should do the job.


Thank you in advance for any help offered!
Marc

----------------------------------------------
Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Service name="Tomcat-Standalone">
        <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" 
redirectPort="443" server=" "
             acceptCount="100" connectionTimeout="660000" 
disableUploadTimeout="true" />
        <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" 
enableLookups="false" acceptCount="100"
                  scheme="https" secure="true" connectionTimeout="660000" 
disableUploadTimeout="true" server=" "
                 ciphers="SSL_RSA_WITH_RC4_128_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT
H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
              clientAuth="false" sslProtocol="TLS" 
keystoreFile="/etc/.keystore" >
        </Connector>
        <Engine name="Standalone" defaultHost="MyHostName">
            <Host     name="MyHostName" appBase="webapps"
                unpackWARs="true" autoDeploy="true">
                <Context path="" docBase="ROOT" allowLinking="true">
                    <Resources 
className="org.apache.naming.resources.FileDirContext" allowLinking="true" 
docBase="" />
                </Context> 
            </Host>
        </Engine>
    </Service>
</Server>

Here are the scan results showing that SSLv3 is indeed enabled (and our 
3rd-party component works correctly):
# ./cipherscan MyHostName:443
prio  ciphersuite           protocols                    pfs_keysize
1     DHE-DSS-AES128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
2     EDH-DSS-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits

----------------------------------------------
And here is the server.xml file that, unfortunately, does *not* enable SSLv3 
for Tomcat 8.5.15:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Service name="Tomcat-Standalone">
        <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" 
redirectPort="443" server=" "
             acceptCount="100" connectionTimeout="660000" 
disableUploadTimeout="true" />
        <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" 
enableLookups="false" acceptCount="100" 
                  scheme="https" secure="true" connectionTimeout="660000" 
disableUploadTimeout="true" server=" ">
                <SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2" 
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA">
                        <Certificate certificateKeystoreFile="/etc/.keystore" 
certificateKeystoreType="JKS" certificateKeystorePassword="changeit" />
                </SSLHostConfig>

        </Connector>
        <Engine name="Standalone" defaultHost="MyHostName">
            <Host     name="MyHostName" appBase="webapps"
                unpackWARs="true" autoDeploy="true">
                <Context path="" docBase="ROOT">
                    <Resources allowLinking="true" />
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

Here are the scan results showing that SSLv3 is *not* enabled (and our 
3rd-party component does *not* work):
# ./cipherscan MyHostName:443
prio  ciphersuite           protocols              pfs_keysize
1     DHE-DSS-AES128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
2     EDH-DSS-DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2  DH,2048bits

Here is Tomcat's logging at startup (notice the SSLv3 warning):
..
Tomcat started.
-sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-nio-80"]
Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool 
getSharedSelector
INFO: Using a shared selector for servlet write/read
Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
WARNING: Some of the specified [protocols] are not supported by the SSL engine 
and have been skipped: [[SSLv3]]
..


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Problem enabling SSLv3 in Tomcat 8.5.15

Reply via email to