...
- Open the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xmlfile. - Take a backup of the
catalina-server.xmlfile and stop the Carbon server. Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the
If you are using JDK 1.6, removesslProtocolas TLS).Remove the
from the configurationsslProtocol="TLS"attributeCode Block and replace it with
sslEnabledProtocols="TLSv1"as shown below.
" If you are using JDK 1.7sslEnabledProtocols="TLSv1
remove the,sslProtocol="TLS"attribute from the above configuration and replace it with sslEnabledProtocols="
,TLSv1TLSv1.1,TLSv1.2"as shown below.Code Block <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"- Start the server.
To test if SSL version 3 is disabled:
- Download
TestSSLServer.jarfrom here. Execute the following command to test the transport:
Code Block java -jar TestSSLServer.jar localhost 9443
The output of the command before and after command after disabling SSL version 3 is shown below.
Before SSL version 3 is disabled:Code Block .
0: idem)
After SSL version 3 is disabled:Code Block Supported versions: TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.0 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA
...