1 Reply Latest reply on Apr 2, 2015 3:41 AM by Jean-Frederic Clere

    SSLv2Hello Tomcat native

    Tom Zeibig Newbie
    Tom Zeibig Apr 1, 2015 11:16 AM

      Hi,

      I'm using JBOSS 5.1,  jdk6, native API  and having trouble disabling SSLV2 and 3 to mitigate the Poodle attack.

       

             SSLProtocol="TLSv1"

      This is the only configuration I have tried that satisfies the poodle scanners.

      My problem is the jdk6 -  when I use HttpsURLConnection the server fails on the 'SSLv2Hello' handshake.

       

      I have not found a way to make the Native tomcat permit the SSLv2Hello.  (searching the web for a week now)

       

      Any help is appreciated.

       

      PS.  I was able to create a wrapper for the SSLSocketFactory which works, but that doesn't help when a off-the-shelf application tries to connect using the bare jdk6 code.

      Tom Z

      • 885 Views
      • Tags:
        • 1. Re: SSLv2Hello Tomcat native
          Jean-Frederic Clere Master
          Jean-Frederic Clere Apr 2, 2015 3:41 AM (in response to Tom Zeibig)

          There isn't any easy fix for that you should upgrade to a supported version :-(

          The solutions are:

          1 - Use SSLProtocol="TLSv1"( you are safe for the moment) but you need to upgrade the clients to use java8

          2 - Use the JIO/BIO connector and use something like sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" (TLSv1,SSLv2Hello probably).

          3 - update the native libraries and back port the fixed jbossweb code.

          1 of 1 people found this helpful