I have a Windows 2008 server with Tomcat 7.0.59 & Java 8u31 & I am trying to ensure that SSLv3 is disabled. Looking at the changelog for Java, SSL3 should no longer be supported and the Java Control Panel doesn't even have a checkbox to enable it in the Advanced Security Settings options. Even still, I have added
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to my HTTP connector in server.xml. Running a POODLE vulnerability scan still shows the ability to connect via SSL3.
Any ideas for other places to look or tools that could help identify what is enabling/supporting SSL3 on this box?
Here is the full connector configuration for reference:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="CAS-server" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="[filepath]" keystorePass="[password]"/>
The server is a virtual machine running on VMWare and is used only for CAS (Single Sign-On implementation from JA-SIG). Other programs installed on the system:
- EMC NetWorker
- Sophos Anti-Virus / AutoUpdate / Remote Management System