On 6/20/2017 4:34 PM, Marc Dorsa wrote: > Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! > Marc > > ---------------------------------------------- > Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47: > <?xml version='1.0' encoding='utf-8'?> <Server port="8005" > shutdown="SHUTDOWN"> > <Service name="Tomcat-Standalone"> > <Connector port="80" protocol="HTTP/1.1" enableLookups="false" > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="660000" > disableUploadTimeout="true" /> > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="660000" > disableUploadTimeout="true" server=" " > ciphers="SSL_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_RSA_WIT H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/.keystore" > > </Connector> > <Engine name="Standalone" defaultHost="MyHostName"> > <Host name="MyHostName" appBase="webapps" > unpackWARs="true" autoDeploy="true"> > <Context path="" docBase="ROOT" allowLinking="true"> > <Resources > className="org.apache.naming.resources.FileDirContext" allowLinking="true" > docBase="" /> > </Context> > </Host> > </Engine> > </Service> > </Server> > > Here are the scan results showing that SSLv3 is indeed enabled (and our > 3rd-party component works correctly): > # ./cipherscan MyHostName:443 > prio ciphersuite protocols pfs_keysize > 1 DHE-DSS-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > 2 EDH-DSS-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > > ---------------------------------------------- > And here is the server.xml file that, unfortunately, does *not* enable SSLv3 > for Tomcat 8.5.15: > <?xml version='1.0' encoding='utf-8'?> <Server port="8005" > shutdown="SHUTDOWN"> > <Service name="Tomcat-Standalone"> > <Connector port="80" protocol="HTTP/1.1" enableLookups="false" > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="660000" > disableUploadTimeout="true" /> > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="660000" > disableUploadTimeout="true" server=" "> > <SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2" > ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, > SSL_DHE_RSA_WITH_DES_CBC_SHA"> > <Certificate certificateKeystoreFile="/etc/.keystore" > certificateKeystoreType="JKS" certificateKeystorePassword="changeit" /> > </SSLHostConfig> > > </Connector> > <Engine name="Standalone" defaultHost="MyHostName"> > <Host name="MyHostName" appBase="webapps" > unpackWARs="true" autoDeploy="true"> > <Context path="" docBase="ROOT"> > <Resources allowLinking="true" /> > </Context> > </Host> > </Engine> > </Service> > </Server> > > Here are the scan results showing that SSLv3 is *not* enabled (and our > 3rd-party component does *not* work): > # ./cipherscan MyHostName:443 > prio ciphersuite protocols pfs_keysize > 1 DHE-DSS-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits > 2 EDH-DSS-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits > > Here is Tomcat's logging at startup (notice the SSLv3 warning): > .. > Tomcat started. > -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol > init > INFO: Initializing ProtocolHandler ["http-nio-80"] Jun 20, 2017 > 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool > getSharedSelector > INFO: Using a shared selector for servlet write/read Jun 20, 2017 > 3:38:06 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["https-jsse-nio-443"] Jun 20, 2017 > 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled > WARNING: Some of the specified [protocols] are not supported by the > SSL engine and have been skipped: [[SSLv3]] ..
I've not done this so I'm sure that someone will quickly correct me if I'm wrong. I'm basing my answer from the following mailing list thread: http://marc.info/?t=149330464700008&r=1&w=2 It seems from the logs that you are using the https-jsse-nio connector. It appears that you should list all of your desired protocols with a plus separating them (and no comma). Something like this (if I'm reading Mark Thomas's answer correctly): protocols="+SSLv3+TLSv1+TLSv1.1+TLSv1.2" Again, if I'm misreading the thread (and the question), I hope to be corrected shortly. However, read the thread above and see if that doesn't solve your problem. . . . just my two cents /mde/ Thanks Mark, but I had already tried that syntax (along with similar variations just in case)...and no dice!