Hi,
I'm using JBOSS 5.1, jdk6, native API and having trouble disabling SSLV2 and 3 to mitigate the Poodle attack.
SSLProtocol="TLSv1" |
This is the only configuration I have tried that satisfies the poodle scanners.
My problem is the jdk6 - when I use HttpsURLConnection the server fails on the 'SSLv2Hello' handshake.
I have not found a way to make the Native tomcat permit the SSLv2Hello. (searching the web for a week now)
Any help is appreciated.
PS. I was able to create a wrapper for the SSLSocketFactory which works, but that doesn't help when a off-the-shelf application tries to connect using the bare jdk6 code.
Tom Z
There isn't any easy fix for that you should upgrade to a supported version :-(
The solutions are:
1 - Use SSLProtocol="TLSv1"( you are safe for the moment) but you need to upgrade the clients to use java8
2 - Use the JIO/BIO connector and use something like sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" (TLSv1,SSLv2Hello probably).
3 - update the native libraries and back port the fixed jbossweb code.