Just another site

Deploying Tomcat with SSL / HTTPS enabled with POODLE vulnerablity fixed

1. To enable SSL deployment generate self signed certificate  or procure one from a trusted 3rd party store.

For the sake of simplicity i’ll use self signed certificate.Run the keytool located in the JDK under bin folder for generating self signed certificate.

keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore.keystore

For those wanting to have certificate from trusted Certificate Authority.

In case of For Importing the Chain Certificate into your keystore provided by trusted Certificate Authority
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>

2. Configure Tomcat for SSL with POODLE fix

In server.xml under conf folder of tomcat installation enable SSL by removing comments around the SSL section and modifying it as given below

<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol” maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystorePass={password provided during certificate generation} keystoreFile=”\path\to\my\keystore.keystore” sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1″/>

Start Tomcat & hit https://localhost:8443 accept the certifcate and it will display default root application.

3. To confirm SSLv2/3 is disabled download the following tool
Execute the foolowing CLI
sslscan –ssl3 –no-failed
sslscan –ssl2 –no-failed

The tool should not return any results



One response to “Deploying Tomcat with SSL / HTTPS enabled with POODLE vulnerablity fixed

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: