Disable SSLv3

Preparation:

Before start, you can check:
- whether your domain supports SSLv3 at https://www.ssllabs.com/ssltest/analyze.html
- whether your browser supports SSLv3 at https://www.ssllabs.com/ssltest/viewMyClient.html

 

Solutions:

To disable SSLv3 in Tomcat, you need to:

Open CATALINA_HOME/conf/server.xml and modify the corresponding connectors.

For example, I have a connector like this:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" 
        maxThreads="150" scheme="https" secure="true" 
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"

    />

Delete sslProtocol="TLS" and add sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSLv3. When sslProtocol="TLS", all TLS and SSL versions are enabled. "sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"" means only TLSv1,TLSv1.1 and TLSv1.2 are enabled, which can indirectly disable SSLv3.

It is worth to search more information about SSLv3, POODLE and TLS_FALLBACK_SCSV to understand why it is necessary to disable SSLv3, when we should disble it and its alternatives.

 

Note: 
(1) The attribute name in the connector is sslEnabledProtocols not sslProtocol or sslProtocols or SSLProtocol, etc.

 

More readings:
[1] https://www.imperialviolet.org/2014/10/14/poodle.html
[2] https://www.openssl.org/~bodo/ssl-poodle.pdf
[3] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00