• 8

I have a Windows 2008 server with Tomcat 7.0.59 & Java 8u31 & I am trying to ensure that SSLv3 is disabled. Looking at the changelog for Java, SSL3 should no longer be supported and the Java Control Panel doesn't even have a checkbox to enable it in the Advanced Security Settings options. Even still, I have added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to my HTTP connector in server.xml. Running a POODLE vulnerability scan still shows the ability to connect via SSL3.

Any ideas for other places to look or tools that could help identify what is enabling/supporting SSL3 on this box?

Here is the full connector configuration for reference:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keyAlias="CAS-server"
           keystoreFile="[filepath]" keystorePass="[password]"/>

The server is a virtual machine running on VMWare and is used only for CAS (Single Sign-On implementation from JA-SIG). Other programs installed on the system:

  • EMC NetWorker
  • Sophos Anti-Virus / AutoUpdate / Remote Management System
  • TortoiseSVN

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags