With the announcement last week of the POODLE vulnerability in SSLv3, I have been testing a new HTTPS Connector configuration for TOMCAT.

Most of the documentation available, that I have found, assumes that you are using Native/APR. However, LabKey’s standard TOMCAT configuration does not use the Native/APR connectors, but uses NIO connector . After a bit of testing I found that to disable SSLv3 (and SSLv2), when using BIO/NIO connectors, I used

<Connector port="443" scheme="https" secure="true"
    SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLSv1"
    ...
/>

During my testing, I found that if you do not use sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to limit the available protocols, then using only sslProtocol="TLSv1" still allowed SSLv3 to be available.

If you are interested in seeing the rest of the HTTPS connector that LabKey uses, an example of our server.xml config file is available at https://github.com/LabKey/samples/blob/master/ops/config-examples/server-SSL.xml.