-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jammy,
On 1/29/15 11:02 AM, Jammy Chen wrote: > Thanks for replying, I understood this is old, our product has > already upgraded to latest version, but somehow, some of our users > are still in such old stage, they do not plan uptake now but they > want disable SSL V3 as everybody know this is big security > vulnerability. > > *so now the important thing is how I can disable SSL V3 on Tomcat > 6.0.18.0? I cannot find the solution* Okay, here's the deal: from your perspective, the documentation on Tomcat's site is all out-of-date (into the future) because you (or your customers) are using an ancient version of Tomcat. The best solution is to tell your customers that you don't support your own product on that version of Tomcat any longer. I love that line of crap when it works to my advantage. Anyhow... The "sslEnabledProtocols" configuration attribute was added in Tomcat 6.0.38, well after your 6.0.18 version. Before that, it was called "sslProtocols" and/or "protocols". Give those a try. (Also, there was a bug in the NIO HTTPS connector specifically that it does not recognize the "sslEnabledProtocols" configuration attribute, but that bug was introduced along with "sslEnabledProtocols" in 6.0.38 and fixed in 6.0.43, so the whole thing is moot as far as you are concerned. The "protocols" attribute should work.) I posted some code to this mailing list a while back that will probe a server to discover that types of connections and ciphers it will accept. When you configure your server, consider trying that to see what kinds of connections are possible. Note that it's limited to what version of Java you are using *for the client* as well as the server. So, with Java 1.6, you will not likely have TLS 1.2 available, and many ciphers that the server may support under a newer JVM might not be available in 1.6. I would recommend running the latest Java version you can for the client in this case, because it will be able to try the most options against the server. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUynVWAAoJEBzwKT+lPKRY2lcP/jLvNreb+aY00YhgzAq+Ipii C9lm3lnewamy7dGUGEWE8vgV4Yu5tyzGeb0j6uRvBnHKdp+XEjRfnAuxh1Mx5bqa byw8Fa5rfQ4TbCg5oTZZ3pGAsrBdLZp11P3O3Pxs/oSuzkWObHAlo9VGXaL0oXFB FGgVwZfush/8lfBcF7hRl9tP/QE8/FlVyulKac6BVKdY2Os0crfrLpWyf0N+N2Xh TEgFkwraCdfjy/La2Cudp899k8s/JYq2kRsgRTQ/apYHtbIzCf2B5I32wC0VudOC 9eI3wPnYiM8aR940W5L37cTgDqls+tiifzcodvhyWfO+SiuEayaAJG6KuyIpYFBn ZdDMLcIiA4om+nZcbn1w2n3Hi8VxaPryxHt75Ak9n8FsqSGuEop29cDanbKYJU6P OuK2sAalT6uZCy2GvV/3xGoD7kkvHWmsngsblGSR19nfLr/Y8eS20jho+3YI+pjy hyprA5uKxJAz07iGklx98jq3d33529+FP8jUYtJuP+8jyQenpFhsWd3k6Oh6DeFB MNHU04x7cqOSvtBN+yBe1ZLZVJlEP9eMMVRFpfZwb97I27bxL13FG9IWiMYmMBVj OVaVbm8FqaMtDCjzj36z2PWPLouDRs2kcaEHNYIzp8rsQ9GD0tJTmkxG6XUFDazi cU/f8sS7how+TLnmKycX =nABr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org