How do I disable SSLv3 support in Apache Tomcat?

Solution 1:

Depending on the version of Tomcat 5 and Version 6 the SSLEnabled="true" might not work as it was added mid-release. To get past this you just need to edit the following: sslProtocols = TLS To: sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"

Seems strange but even though it says TLS, it contains the SSL 3.

This fixed it on our Tomcat 5.5.20 and our Tomcat 6 instances. -Greg

I believe what you need to do is:

Jboss:

<Connector protocol="HTTP/1.1" SSLEnabled="true" 
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100"  maxThreads="200"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
       keystorePass="rmi+ssl"
       sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

Not sure on the cipher suite definition however sslprotocols should just be set to TLSv1,TLSv1.1,TLSv1.2

depending on your tomcat version it will differ, other potential solutions:

Tomcat 5 and 6

<Connector...
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100"  maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
   clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

**On RHEL5-based distros, the following applies to Tomcat 6 versions prior to Tomcat 6.0.38 **

Note that TLSv1.1,TLSv1.2 is supported by Java 7, not Java 6. Adding these directives to a server running Java 6 is harmless, but won't enable TLSv1.1 & TLSv1.2.

<Connector...
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100"  maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
   clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

Tomcat >=7

<Connector...
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100"  maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
       clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

Tomcat APR connectors

<Connector...
               maxThreads="200"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true" 
               SSLProtocol="TLSv1"
               SSLCertificateFile="${catalina.base}/conf/localhost.crt"
               SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />

the above is altered to cater to what your connector specifications were above. Source: https://access.redhat.com/solutions/1232233

Solution 2:

I have a similar use case, which is to enable Tomcat 7 to strictly use only TLSv1.2, not to fall back to earlier SSL protocols such as TLSv1.1 or SSLv3.

I am using: C:\apache-tomcat-7.0.64-64bit and C:\Java64\jdk1.8.0_60.

Following this instruction: https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html. Tomcat is relatively simple to setup SSL support.

From many references I tested many combination, finally I found 1 which will enforce Tomcat 7 to accept TLSv1.2 only. 2 places needed to touch:

1) In C:\apache-tomcat-7.0.64-64bit\conf\server.xml

<Connector port="8443" 
 protocol="org.apache.coyote.http11.Http11Protocol"
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="ssl/.keystore" keystorePass="changeit"
 clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />

where

keystoreFile = local self-signed trust store

org.apache.coyote.http11.Http11Protocol = JSSE BIO implementation.

We don't use org.apache.coyote.http11.Http11AprProtocol, because it is powered by openssl. The underlying openssl will fall back to support earlier SSL protocols.

2) When start up Tomcat, enable the following environment parameters.

set JAVA_HOME=C:\Java64\jdk1.8.0_60
set PATH=%PATH%;C:\Java64\jdk1.8.0_60\bin
set CATALINA_HOME=C:\apache-tomcat-7.0.64-64bit
set JAVA_OPTS=-Djdk.tls.client.protocols="TLSv1.2" -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dhttps.protocols="TLSv1.2"

JAVA_OPTS restriction is required, otherwise Tomcat (which is powered by Java8) will fall back to support earlier SSL protocols.

Start up Tomcat C:\apache-tomcat-7.0.64-64bit\bin\startup.bat

We can see JAVA_OPTS appears in Tomcat startup log.

Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.client.protocols=TLSv1.2
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dsun.security.ssl.allowUnsafeRenegotiation=false
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dhttps.protocols=TLSv1.2

Then, we can use openssl command to verify our setup. First connect localhost:8443 with TLSv1.1 protocol. Tomcat refuses to reply with Server certificate.

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_1
Loading 'screen' into random state - done
CONNECTED(000001C0)
5372:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes

Connect localhost:8443 with TLSv1.2 protocol, Tomcat replies ServerHello with certificate:

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
(ignored)
-----END CERTIFICATE-----
subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2367 bytes and written 443 bytes

This proves that Tomcat now strictly respond to TLSv1.2 request only.