This Wiki entry serves as a place for all relevant information regarding CVE-2014-3566 (aka the POODLE SSL v3 vlunerability). Rather than regurgitating this information repeatedly on mailing lists, etc., please make references to this page and refer people to it.
What is POODLE vulnerability?
POODLE is a SSL v3 protocol vulnerability. It allows attacker to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (e.g. decrypt the trafic, hijack sessions, etc.)
Disabling SSL v3 on either client side or server side will mitigate this vulnerability.
JSSE-based connectors (Bio, Nio, Nio2)
To disable SSL v3, and enable all TLS protocols on JSSE connectors add the following attributes to your HTTPS connector configuration in server.xml:
- sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
The same, plus SSLv2Hello pseudo-protocol:
- sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
In old versions of Tomcat 6 the name of configuration attribute for Bio connector was protocols. It is sslEnabledProtocols since Tomcat 6.0.39 onwards.
The sslEnabledProtocols attribute has no effect on Nio connector in Tomcat 6.0.39 - 6.0.41 because of bug 57102. It will be fixed in 6.0.43.
APR-based connector (Apr)
To disable SSL v3, and enable TLSv1 protocol on APR connector add the following attribute to your HTTPS connector configuration in server.xml:
To enable TLSv1, TLSv1.1, TLSv1.2 protocols the setting will be the following - (Note: the "TLSv1.1", "TLSv1.2" values require Tomcat Native 1.1.32 and a version of Tomcat that supports it. Those have not yet been released at the time of this writing, but are expected soon. See bug 53952 for progress):
On-line testing tools
Test your browser here:
Test your server here: