Tomcat APR connector and POODLE -

Tomcat APR connector and POODLE -

i have couple of production servers running tomcat 7.0 apr+ssl connector , because of recent poodle attack asked disable sslv3 in of these servers. dig through tomcat connectors documentation , according it, setting sslprotocol tlsv1 (instead of all should sufficient disable sslv3 , enforce tlsv1.

the problem tlsv1 seems enable tls not create server reject sslv3. tested using openssl s_client -connect -ssl3 , verified plain-old sslv3 connections can still accepted, wondering if bug in tomcat or if there else need set disabled sslv3 completely.

update: disabled apr , reverted using nio connector sslprotocol="tls" , works fine. problem seems affecting apr. reference, new connector configuration:

<connector port="443" protocol="org.apache.coyote.http11.http11nioprotocol" sslenabled="true" maxthreads="500" scheme="https" secure="true" clientauth="false" keystorefile="/etc/keys/***.ks" keystorepass="****" sslprotocol = "tls" sslenabledprotocols="tlsv1.1,tlsv1.2" />

it seems ability disable ssl when using apr connector tls still work in progress. check link more information: https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c30, comment #37.

the news it'll fixed in next release of tomcat , tomcat native. see comment #39:

fixed in tcnative-trunk in r1632593 , tcnative-1.1.x in r1632595. in tcnative 1.1.32.

and comment #40:

fixed in tomcat-trunk in r1632604. in tomcat 8.0.15. fixed in tomcat 7 in r1632606. in tomcat 7.0.57.

tomcat apr poodle-attack