"Jeff Krug" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Thu, Mar 09, at 09:19:PM : Bill Barker has proclaimed: >> "Jeff Krug" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> > Is there a way to disallow the SSL 3.0 protocol? >> > >> >> protocols="TLS" on the <Connector /> tag. > > I added this, but it did not seem to alter the behavior. Here is my > connector tag: > > <Connector port="443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" protocols="TLS" > keystoreType="PKCS12" > keystoreFile="Path:\MyKeyStore.p12" > keystorePass="######" > /> > > I can still connect using the SSL 3.0 protocol. I don't see a protocols > option listed anywhere in the Tomcat docs on Apache.org either. Should > this work? >
My bad :(. It should be protocols="TLSv1". And, yes, it's an undocumented option. > I am testing this with openssl on a Linux machine with this command: > > $openssl s_client -ssl3 -connect My_Tomcat_Hostname:443 > > <cut all the certificate passing> > > --- > New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA > Server public key is 512 bit > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv3 > Cipher : EDH-RSA-DES-CBC3-SHA > Session-ID: <snippd for length> > Session-ID-ctx: > Master-Key: <snipped for length> > Key-Arg : None > Start Time: 1142004945 > Timeout : 7200 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > > When I don't force the client on the Linux side to request ssl3, the > protocol specified above is TLSv1 as I want. > > It seems like most products kind of blur the boundaries between TLS and > SSL3 (for example that first line above says TLSv1/SSLv3 as if they are > the same thing). I guess they are nearly identical, but unfortunately > I still need to figure this out. > > Any further ideas for what I can try? > > Thanks, > Jeff Krug --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]