This Wiki entry serves as a place for all relevant information regarding CVE-2014-3566 (aka the POODLE SSL v3 vlunerability). Rather than regurgitating this information repeatedly on mailing lists, etc., please make references to this page and refer people to it.

What is POODLE vulnerability?

POODLE is a SSL v3 protocol vulnerability. It allows attacker to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (e.g. decrypt the trafic, hijack sessions, etc.)


In order for attack to be successful both client and server must support SSL v3, and attacker must be a man-in-the-middle, and must inject malicious JavaScript into the client browser.


Disabling SSL v3 on either client side or server side will mitigate this vulnerability.

JSSE-based connectors (Bio, Nio, Nio2)

To disable SSL v3, and enable all TLS protocols on JSSE connectors add the following attributes to your HTTPS connector configuration in server.xml:

The same, plus SSLv2Hello pseudo-protocol:


APR-based connector (Apr)

To disable SSL v3, and enable TLSv1 protocol on APR connector add the following attribute to your HTTPS connector configuration in server.xml:

To enable TLSv1, TLSv1.1, TLSv1.2 protocols the setting will be the following - (Note: the "TLSv1.1", "TLSv1.2" values require Tomcat Native 1.1.32 and a version of Tomcat that supports it. Those have not yet been released at the time of this writing, but are expected soon. See bug 53952 for progress):

On-line testing tools

Test your browser here:

Test your server here:

Security/POODLE (last edited 2014-10-19 22:27:09 by KonstantinKolinko)