How to deploy the SSLv3 POODLE fix for Tomcat
Posted by Aly Essa, Last modified by Aly Essa on 12 January 2017 01:47 PM

Overview

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. This can be remedied by specifying the specific SSL Protocol to be used by the Tomcat Web Server Connector.

This patch should be done at the same time as Logjam TLS Vulnerability Fix.

You can access the Knowledgebase Article here: http://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/305/55/workaround-for-tomcat-ssl-and-tls-logjam-vulnerability

 

Environment

FileCatalyst Workflow v4.9.4 and later.

FileCatalyst Webmail v4.9.4 and later.

Tomcat v7.0 and later.

 

Resolution

  1. Shutdown your Apache Tomcat service.
  2. Locate your Tomcat installation directory. For the purposes of this document, we will be using Windows Environment Paths. Typically it is installed in C:\Program Files\Apache Software Foundation\Tomcat 7.0\, this could be different for you.
  3. Navigate to the conf directory.
  4. Open the server.xml file in a text editor.
  5. Locate the connector named:

    <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->

  6. Replace your current connector properties for sslEnabledProtocols with:

    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

  7. Remove the following:

    sslProtocol="TLS"

  8. An example of the edited connector definition:

    <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <!--FCWeb HTTPS Connector2-->
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"port="8443" minSpareThreads="5" maxSpareThreads="75"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="C:\Program Files\FileCatalyst Web Workflow/apache-tomcat/tomcat-ssl/.keystore" keystorePass="changeit"
    clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"/>

    <!-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <!--FCWeb HTTPS Connector1-->
    <Connector protocol="org.apache.coyote.http11.Http11Protocol"
    port="8443" minSpareThreads="5" maxSpareThreads="75"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="C:\Program Files\FileCatalyst Web Workflow/apache-tomcat/tomcat-ssl/.keystore"
    keystorePass="changeit"
    clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"/>

  9. Save the file and restart your Apache Tomcat Server.