How to Disable SSLv3 in Apache Tomcat: Secure TLS Configuration Guide


3 views

SSLv3 has long been considered insecure due to vulnerabilities like POODLE (Padding Oracle On Downgraded Legacy Encryption). Modern security standards require disabling SSLv3 and using TLSv1.2 or higher.

Your current connector configuration shows good intentions but needs refinement:

<Connector ...
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100"  maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       clientAuth="false" sslProtocol="TLS" 
       ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" 
       sslEnabledProtocols="TLSv1" />

For Tomcat 8.5+ with TLS 1.2 enforcement:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" 
           sslEnabledProtocols="TLSv1.2,TLSv1.3"
           ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,
                   TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                   TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
           scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

For maximum security, consider these additional measures:

  • Remove all CBC-mode ciphers if possible
  • Set useServerCipherSuitesOrder="true" to enforce server cipher preference
  • Configure HSTS headers in your web.xml

After making changes, verify using:

openssl s_client -connect yourdomain:443 -ssl3

This should fail with error: "ssl handshake failure"

For older Tomcat versions (7.0.x), you may need additional JVM arguments:

-Djdk.tls.client.protocols=TLSv1.2 
-Dhttps.protocols=TLSv1.2

Many Tomcat administrators face this issue where their server unexpectedly falls back to SSLv3 despite explicit TLS configuration. This creates serious security vulnerabilities since SSLv3 was officially deprecated in 2015 due to POODLE attacks.

Your current configuration contains several good security parameters, but needs adjustments:

<Connector 
    port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    SSLEnabled="true"
    maxThreads="200"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, 
             TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
             TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
    keystoreFile="/path/to/keystore"
    keystorePass="password"
/>

To completely disable SSLv3, focus on these critical attributes:

  • sslEnabledProtocols: Should explicitly list only TLS versions (remove any SSL references)
  • protocol: Use NIO or APR implementations for better protocol control
  • ciphers: Ensure they're TLS-exclusive and strong enough

For Tomcat 8.5+ with OpenSSL, consider this enhanced configuration:

<Connector
    protocol="org.apache.coyote.http11.Http11AprProtocol"
    port="8443"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    SSLCipherSuite="HIGH:!aNULL:!MD5:!RC4:!SSLv3"
    SSLProtocol="TLSv1.2+TLSv1.3"
    SSLVerifyClient="optional"
    SSLHonorCipherOrder="true"
    compression="off"
/>

After making changes:

  1. Restart Tomcat completely
  2. Test with OpenSSL command: openssl s_client -connect yourserver:443 -ssl3
  3. Verify using SSL Labs test tool
  4. Check Tomcat logs for protocol negotiation