Preparation:
Before start, you can check:
- whether your domain supports SSLv3 at https://www.ssllabs.com/ssltest/analyze.html
- whether your browser supports SSLv3 at https://www.ssllabs.com/ssltest/viewMyClient.html
- whether your domain supports SSLv3 at https://www.ssllabs.com/ssltest/analyze.html
- whether your browser supports SSLv3 at https://www.ssllabs.com/ssltest/viewMyClient.html
Solutions:
To disable SSLv3 in Tomcat, you need to:
Open CATALINA_HOME/conf/server.xml and modify the corresponding connectors.
For example, I have a connector like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
/>
Delete sslProtocol="TLS" and add sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSLv3. When sslProtocol="TLS", all TLS and SSL versions are enabled. "sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"" means only TLSv1,TLSv1.1 and TLSv1.2 are enabled, which can indirectly disable SSLv3.
It is worth to search more information about SSLv3, POODLE and TLS_FALLBACK_SCSV to understand why it is necessary to disable SSLv3, when we should disble it and its alternatives.
Note:
(1) The attribute name in the connector is sslEnabledProtocols not sslProtocol or sslProtocols or SSLProtocol, etc.
(1) The attribute name in the connector is sslEnabledProtocols not sslProtocol or sslProtocols or SSLProtocol, etc.
扫一扫
2885
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
