-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Varun,
On 7/8/16 2:16 AM, varun gulati wrote: > Hello Team, Since past few days i have been struggling with > disabling TLSv1.0 in my Tomcat configuration. Here is the content > of my server.xml file. I was able to disable SSLv3, and things were > working fine but somehow not able to disable TLSv1.0. Really > appreciate your suggestions on how to resolve this vulnerability > Disabled SSLv3 with below > config:=============================================================== ===== > > <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="Keystore_Pathe" keystorePass="*********" > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > ciphers="All Ciphers excluding RC4 Ciphers" /> > ==================================================================== > > To disable TLSv1.0 i adopted to below config, fortunately it > cleared the scans but my site broke on Https: Reffered Link: > http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-t o-Tomcat-6-0-server-with-https-td4995362.html > > =====================================================================<Co nnector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="Keystore_Pathe" keystorePass="*********" > clientAuth="false" sslProtocol="TLSv1.1" > sslEnabledProtocols="TLSv1.1" ciphers="All Ciphers excluding RC4 > Ciphers" > />==================================================================== = > > Please help me identify if i am missing on anything. You were very close. You need: sslProtocol="TLS" (the default) and sslEnabledProtocols="TLSv1.1" or sslEnabledProtocols="TLSv1.1,TLSv1.2" Note that using a recent version of Tomcat should already disable SSLv3 by default... you'd have to specifically re-enable it if you wanted it. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXhsRhAAoJEBzwKT+lPKRYX4QP/jQcDltnUNcFxDGhW27vk5W3 NNXUCLNT7dCVGF0Hp3bdGzibRfHJyNcFsjUBb62i1URrGs8ika4U52i0HWJj+Qkk h/5dJFiqjRVzOTquNrW7Hubx5QHbMKX2atYc6x2TUHYfGuSJSrrzmdRtgYDyCt9k j8uIQaZQdJItHUM/1wpEBaU0GOa7bwQYiuHqsZBEnhWdTH8UEbmlPzcxvNSrAbTy QoSAPLPLU3yehAClu46pmEOhdfgn7vepW+RoqzFvtFAg5Eas3EKItsw22Hd5tItE 8S1A7Yw2uOQh/OoHyb3FPEFoPkfkDs3vXZIMG7wDJy8RmDdib3XMWN/di0BpBmSo s52GqIHV8Qe0dPz6aTfrAsBGn0/JOmDj4eup0Igz0gmgjnRaMfgLJ/YqjBG9Gj8l MHIU5SxifBLno9Pk2FSmykL0ZVTLjRLn7MEiP/8fN5C4nfKrWWQ7SXj3rAijEcVK u2Q12cAPFaHolp56qXYJjfVA2NJCA+45/yJ0mI2PqlS5K7BMkbQWUX6tpMBri7Mz 5e7D16RMNOiP9/LafzHGWiEUTw3tDK0ATqQXbmcFmZylMgcPxjP4lRHlDa+2aviI Ciyi1C0KOSWGTodPC+P76v0uVg8JO2QfG5ecoEgThLBug8AJL8HhRb5uW20wOj2Q AG/xrV9Ja9a+OXgbRjne =dKs3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
