Poodle Fix for Tomcat

Submitted by vivekanandan on Wed, 12/10/2014 - 19:14

Poodle means Padding Oracle On Downgraded Legacy Encryption

POODLE:
The issue exists in SSL protocol Hence we using the latest protocol TLS will be secure.
Fix for POODLE is to disable SSL protocol & include the TLS protocol

The Java SunJSSE supported protocol as SSLv3,TLSv1,TLSv1.1,TLSv1.2.

Fix for POODLE vulnerability

Add this attribute in the connector tag in server.xml :
sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1″

Remeve this attribute
SSLEnabled="true"
Final tag will be like this below

<Connector sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1″  port="443" maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" 
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" 
keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />

Poodle Issue can be validated by below ways

1. using openssl tool
openssl s_client -connect gnudeveloper.com:443 -ssl3

2. Using online tool
https://www.ssllabs.com/ssltest/

More info as below
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProvid...

Groups:

CyberSecurity