Page Comparison

The transport level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/conf/tomcat/catalina-server.xml file. Note that the ssLprotocol attribute is set to "TLS" by default. 

...

...

Testing SSL version 3 configuration for the Identity Server

...

SSL version 3 is disabled by default from IS 5.1.0 onwards. It is necessary to disable SSL version 3 in Carbon servers because of a bug (Poodle Attack) in the SSL version 3 protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS (Transport Layer Security) protocol, and thereby forces it to connect via SSL 3.0. The effect of this bug can be mitigated

...

when SSL version 3 protocol for your server is disabled.

...

Follow the steps given below to disable SSL 3.0 support on the WSO2 Identity Server.

...

...

...

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                port="9443"
                bindOnInit="false"
				sslProtocol="TLS"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

...

...

To test if You can follow the instructions below to ensure that SSL version 3 is disabled:. 

1. Download TestSSLServer.jar from here.

2. Execute the following command to test the transport:

   Code Block
   java -jar TestSSLServer.jar localhost 9443

3. The output of the command after disabling SSL version 3 is shown below.
   After SSL version 3 is disabled:

   Code Block

   Supported versions: TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.0 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA

...