Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Security/POODLE" page has been changed by OgnjenBlagojevic: https://wiki.apache.org/tomcat/Security/POODLE Comment: Added POODLE vulnerability info New page: This Wiki entry serves as a place for all relevant information regarding [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566|CVE-2014-3566]] (aka the POODLE SSL v3 vlunerability). Rather than regurgitating this information repeatedly on mailing lists, etc., please make references to this page and refer people to it. == What is POODLE vulnerability? == POODLE is a SSL v3 protocol vulnerability. It allows attacker to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (e.g. decrypt the trafic, hijack sessions, etc.) == Prerequisites == In order for attack to be successful both client and server must support SSL v3, and attacker must be a man-in-the-middle, and must inject malicious JavaScript into the client browser. == Mitigation == Disabling SSL v3 on either client side or server side will mitigate this vulnerability. To disable SSL v3, and enable all TLS protocols plus SSLv2Hello pseudo-protocol on JSSE connectors add the following attributes to your connector configuration in server.xml: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" The same thing could be done on APR connector using following attributes: TODO == On-line testing tools == Test your browser here: https://www.poodletest.com/ Test your server here: https://www.ssllabs.com/ssltest/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
