Preparation:
Before start, you can check:
- whether your domain supports SSLv3 at https://www.ssllabs.com/ssltest/analyze.html
- whether your browser supports SSLv3 at https://www.ssllabs.com/ssltest/viewMyClient.html
- whether your domain supports SSLv3 at https://www.ssllabs.com/ssltest/analyze.html
- whether your browser supports SSLv3 at https://www.ssllabs.com/ssltest/viewMyClient.html
Solutions:
To disable SSLv3 in Tomcat, you need to:
Open CATALINA_HOME/conf/server.xml and modify the corresponding connectors.
For example, I have a connector like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
/>
Delete sslProtocol="TLS" and add sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSLv3. When sslProtocol="TLS", all TLS and SSL versions are enabled. "sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"" means only TLSv1,TLSv1.1 and TLSv1.2 are enabled, which can indirectly disable SSLv3.
It is worth to search more information about SSLv3, POODLE and TLS_FALLBACK_SCSV to understand why it is necessary to disable SSLv3, when we should disble it and its alternatives.
Note:
(1) The attribute name in the connector is sslEnabledProtocols not sslProtocol or sslProtocols or SSLProtocol, etc.
(1) The attribute name in the connector is sslEnabledProtocols not sslProtocol or sslProtocols or SSLProtocol, etc.