Which SSL Ciphers Should I Remove in Tomcat for the Poodle (SSL3) Vulnerability
Question
Which ciphers in my Tomcat's server.xml do I need to remove to be safe from the Poodle vulnerability? Anything that says SSL?
ciphers="
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
1 answers
solution1
3 ACCPTED 2014-10-31 13:27:52
Shellshock has nothing to do with TLS. And for POODLE you should not remove any ciphers either, but just disallow Protocol version SSL 3.0.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Securing a Thrift server aginst the POODLE SSL vulnerability
Glassfish 2.0 Poodle vulnerability - How to disable SSL and allow TLS only
How to control the SSL ciphers available to Tomcat
PayPal IPN stopped working with Tomcat/Open SSL after POODLE update
Remove SSL certificate from a project with tomcat 7
Tomcat/JBoss Remove SSL and force new handshake
How should I implement SSL?
Jetty - Any way to configure order of SSL ciphers?
Configuring Tomcat with SSL on server
SSL configuration in tomcat and apr
Related Tags