On 8/8/16, 9:59 AM, Coty Sutherland wrote:
To mitigate POODLE you must disable SSLv3 and only use TLS. Please visit the wiki page for more info: https://wiki.apache.org/tomcat/Security/POODLE
Actually, I found that on my own, only a few minutes after I posted my question.
So would the existing . . .
clientAuth="false" sslProtocol="TLS" />
become this? . . .
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
But what I currently get in an SSLLabs scan is
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
. . .
Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No
from which I gather that (1) SSLLabs seems to think SSLv3 is already disabled, and (2) TLSv1.1 and TLSv1.2 are unavailable.
Something doesn't make sense here. -- JHHL --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org