With the announcement last week of the POODLE vulnerability in SSLv3, I have been testing a new HTTPS Connector configuration for TOMCAT.
Most of the documentation available, that I have found, assumes that you are using
Native/APR. However, LabKey’s standard TOMCAT configuration does not use the
Native/APR connectors, but uses
NIO connector . After a bit of testing I found that to disable SSLv3 (and SSLv2), when using BIO/NIO connectors, I used
<Connector port="443" scheme="https" secure="true" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLSv1" ... />
During my testing, I found that if you do not use
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to limit the available protocols, then using only
sslProtocol="TLSv1" still allowed SSLv3 to be available.
If you are interested in seeing the rest of the HTTPS connector that LabKey uses, an example of our
server.xml config file is available at https://github.com/LabKey/samples/blob/master/ops/config-examples/server-SSL.xml.