> Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered!
8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. The docs need to be updated to reflect that. Also the migration guide. I've done some svn archaeology and this change was introduced during the refactoring that added support for SNI, ALPN and multiple certificates. Originally, the removal of SSLv2 and SSLv3 was only for the default protocols (as it currently is in 8.0.x and earlier). During the refactoring, the filtering effectively switched to applying to the supported protocols. A warning is logged during start-up that an unsupported protocol has been requested. Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM used also supports it. Given the inherent insecurities in SSLv3, I don't like the message re-enabling sends. On the other hand, it drives me mad when software blocks something because it thinks it knows best rather then letting me judge the risk and make the decision for myself. I'm therefore leaning towards allowing SSLv3 to be requested but logging a clear warning if it is. Mark ---------------------------------- Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), I could have saved days of research and experimentation. :-( Marc
