So you've already mitigated POODLE and the scanner is just complaining about your TLS version. Unfortunately, TLSv1.0 is the only TLS protocol version available on java6, unless your on u111 (from https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https). If you need TLSv1.2, then you'll have to update to java7+.
On Mon, Aug 8, 2016 at 1:13 PM, James H. H. Lampert <jam...@touchtonecorp.com> wrote: > On 8/8/16, 9:59 AM, Coty Sutherland wrote: >> >> To mitigate POODLE you must disable SSLv3 and only use TLS. Please >> visit the wiki page for more info: >> https://wiki.apache.org/tomcat/Security/POODLE > > > Actually, I found that on my own, only a few minutes after I posted my > question. > > So would the existing > . . . >> >> clientAuth="false" sslProtocol="TLS" /> > > > become this? > . . . >> >> clientAuth="false" sslProtocol="TLS" >> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" /> > > > But what I currently get in an SSLLabs scan is >> >> The server supports only older protocols, but not the current best TLS >> 1.2. Grade capped to C. > > . . . >> >> Protocols >> TLS 1.2 No >> TLS 1.1 No >> TLS 1.0 Yes >> SSL 3 No >> SSL 2 No > > > from which I gather that (1) SSLLabs seems to think SSLv3 is already > disabled, and (2) TLSv1.1 and TLSv1.2 are unavailable. > > Something doesn't make sense here. > > > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
