Following are the steps to fix the POODLE vulnerbility in Tomcat
- To enable SSL deployment generate self signed certificate or procure one from a trusted 3rd party store.
For the sake of simplicity i’ll use self signed certificate.Run the keytool located in the JDK under bin folder for generating self signed certificate.
keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore.keystore
For those wanting to have certificate from trusted Certificate Authority.
In case of For Importing the Chain Certificate into your keystore provided by trusted Certificate Authority
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>
2.Configure Tomcat for SSL with POODLE fix
In server.xml under conf folder of tomcat installation enable SSL by removing comments around the SSL section and modifying it as given below
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystorePass={password provided during certificate generation} keystoreFile="\path\to\my\keystore.keystore" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"/>
Start Tomcat & hit https://<host>:<ssl port> accept the certifcate and it will display default root application.
- To confirm SSLv2/3 is disabled download the following tool https://github.com/rbsec/sslscan/releases
Execute the foolowing CLI
sslscan --ssl3 --no-failed 127.0.0.1:8443sslscan --ssl2 --no-failed 127.0.0.1:8443
The tool should not return any results