I have a couple of production servers running Tomcat 7.0 with an APR+SSL connector and because of the recent POODLE attack I was asked to disable SSLv3 completely in some of these servers. I dig through the Tomcat Connectors documentation and according to it, setting SSLProtocol to TLSv1 (instead of all should be sufficient to disable SSLv3 and enforce TLSv1.
The problem is that TLSv1 seems to enable TLS but does not make the server refuse SSLv3. I tested this using openssl s_client -connect -ssl3 and I verified that plain-old SSLv3 connections can still be accepted, so I was wondering if this is a bug in Tomcat or if there is something else that I need to set to disabled SSLv3 completely.
UPDATE: I disabled APR for now and reverted to using a NIO connector with sslProtocol="TLS" and that works fine. The problem seems to be specifically affecting APR. For reference, this is my new connector configuration:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="500"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="/etc/keys/***.ks"
keystorePass="****"
sslProtocol = "TLS"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
/>
It seems that the ability to disable SSL completely when using the APR connector with TLS is still a work in progress. Check this link for more information: https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c30, specifically Comment #37.
The good news is that it'll be fixed in the next release of the Tomcat and Tomcat Native. See comment #39:
Fixed in tcnative-trunk in r1632593 and tcnative-1.1.x in r1632595.
Will be in tcnative 1.1.32.
and Comment #40:
Fixed in Tomcat-trunk in r1632604. Will be in Tomcat 8.0.15.
Fixed in Tomcat 7 in r1632606. Will be in Tomcat 7.0.57.