-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Wednesday, June 21, 2017 2:31 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Problem enabling SSLv3 in Tomcat 8.5.15

On 21/06/17 19:04, Marc Dorsa wrote:
>> Hi Tomcat Users,
>> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 
>> 3rd-party component of our product requires SSLv3 and there's no getting 
>> around it!)  Our Tomcat is running on a custom Linux distribution based on 
>> Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and 
>> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is 
>> correctly enabled when running our existing Tomcat 7.0.47.  My guess is that 
>> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat 
>> documentation 
>> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I 
>> read it, seems to say that simply setting the "protocols" attribute of the 
>> SSLHostConfig element to include "SSLv3" should do the job.
>> Thank you in advance for any help offered!
> 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3.
> The docs need to be updated to reflect that. Also the migration guide.
> I've done some svn archaeology and this change was introduced during 
> the refactoring that added support for SNI, ALPN and multiple certificates.
> Originally, the removal of SSLv2 and SSLv3 was only for the default 
> protocols (as it currently is in 8.0.x and earlier). During the 
> refactoring, the filtering effectively switched to applying to the 
> supported protocols.
> A warning is logged during start-up that an unsupported protocol has 
> been requested.
> Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM 
> used also supports it.
> Given the inherent insecurities in SSLv3, I don't like the message 
> re-enabling sends. On the other hand, it drives me mad when software 
> blocks something because it thinks it knows best rather then letting 
> me judge the risk and make the decision for myself.
> I'm therefore leaning towards allowing SSLv3 to be requested but 
> logging a clear warning if it is.
> Mark
> ----------------------------------
> Thank you Mark for clarifying that SSLv3 is *not* supported (at all) 
> in Tomcat 8.5+.  Wow, if only I had known that (via the Tomcat docs), 
> I could have saved days of research and experimentation. :-(

SSLv3 will be available (not by default and using it will result in a warning 
in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently 
in progress but the next ones in around a month's time).


Hi Mark,

When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled?  (This 
feature is critical for our product and is needed ASAP.)

Thank you,

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to