Hi Tomcat Users,
I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A
3rd-party component of our product requires SSLv3 and there's no getting around
it!) Our Tomcat is running on a custom Linux distribution based on Centos 7,
and we're running Java 1.8.0_131. Note that I've already (and correctly)
enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled
when running our existing Tomcat 7.0.47. My guess is that I have an incorrect
server.xml configuration (for Tomcat 8), but the Tomcat documentation
(https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I
read it, seems to say that simply setting the "protocols" attribute of the
SSLHostConfig element to include "SSLv3" should do the job.
Thank you in advance for any help offered!
Marc
----------------------------------------------
Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Tomcat-Standalone">
<Connector port="80" protocol="HTTP/1.1" enableLookups="false"
redirectPort="443" server=" "
acceptCount="100" connectionTimeout="660000"
disableUploadTimeout="true" />
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
enableLookups="false" acceptCount="100"
scheme="https" secure="true" connectionTimeout="660000"
disableUploadTimeout="true" server=" "
ciphers="SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT
H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/.keystore" >
</Connector>
<Engine name="Standalone" defaultHost="MyHostName">
<Host name="MyHostName" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="" docBase="ROOT" allowLinking="true">
<Resources
className="org.apache.naming.resources.FileDirContext" allowLinking="true"
docBase="" />
</Context>
</Host>
</Engine>
</Service>
</Server>
Here are the scan results showing that SSLv3 is indeed enabled (and our
3rd-party component works correctly):
# ./cipherscan MyHostName:443
prio ciphersuite protocols pfs_keysize
1 DHE-DSS-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
2 EDH-DSS-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
----------------------------------------------
And here is the server.xml file that, unfortunately, does *not* enable SSLv3
for Tomcat 8.5.15:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Tomcat-Standalone">
<Connector port="80" protocol="HTTP/1.1" enableLookups="false"
redirectPort="443" server=" "
acceptCount="100" connectionTimeout="660000"
disableUploadTimeout="true" />
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
enableLookups="false" acceptCount="100"
scheme="https" secure="true" connectionTimeout="660000"
disableUploadTimeout="true" server=" ">
<SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2"
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA">
<Certificate certificateKeystoreFile="/etc/.keystore"
certificateKeystoreType="JKS" certificateKeystorePassword="changeit" />
</SSLHostConfig>
</Connector>
<Engine name="Standalone" defaultHost="MyHostName">
<Host name="MyHostName" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="" docBase="ROOT">
<Resources allowLinking="true" />
</Context>
</Host>
</Engine>
</Service>
</Server>
Here are the scan results showing that SSLv3 is *not* enabled (and our
3rd-party component does *not* work):
# ./cipherscan MyHostName:443
prio ciphersuite protocols pfs_keysize
1 DHE-DSS-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
2 EDH-DSS-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
Here is Tomcat's logging at startup (notice the SSLv3 warning):
..
Tomcat started.
-sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-nio-80"]
Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool
getSharedSelector
INFO: Using a shared selector for servlet write/read
Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
WARNING: Some of the specified [protocols] are not supported by the SSL engine
and have been skipped: [[SSLv3]]
..
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
