0

I have Spring MVC App running on JBoss AS 7.1.1. I need to turn off SSLv3 to protect against Poodle vulnerability. JBoss documentation at https://access.redhat.com/solutions/1232233 suggests I need to make sure that SSLv3 is not listed in the SSL Protocol attributes.

I have tried that but I can still connect to my website after only enabling SSL in Internet explorer options displayed below. Below is my standalone.xml configuration:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1"/>
</connector>

Can someone suggest what I'm missing here?

enter image description here

4

1 回答 1

0

我终于想出了一个办法来解决它。如果您在上述配置中将 'protocol' 更改为 'protocols' 并确保 sslv3不在协议列表中,则它会禁用 SSLv3。

注意下面配置中的协议属性

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>

进行此更改后,如果您打开 IE 并禁用除 SSL 3.0 之外的所有其他协议 - 然后尝试访问该网页,您应该看不到该网页。

此处提供更多详细信息:http: //abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/

于 2015-07-22T09:36:10.100 回答