This issue was reported to Product Security by Tom Fonteyne. The current configuration options exposed for ssl, does not allow for protocols to be excluded. The following configuration still allows SSLv3: > <server-identities> > <ssl protocol="TLSv1"> > <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" /> > </ssl> > </server-identities> The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3. > <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true"> > <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" /> > </connector> This ability is important to prevent attacks like POODLE.
Do note that, when using javax.net.ssl.SSLContext.getInstance("TLSv1"), a white list is not used and if TLSv1 fails or SSLv3 is requested, SSLv3 gets used. This can be prevented by setting the enabled protocols as per [1, 2]. [1] http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#setEnabledProtocols(java.lang.String[]) [2] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
POODLE mitigation for customers is detailed in section "EAP 6 Management Interfaces" of [1]. [1] https://access.redhat.com/solutions/1232233
What is the thinking behind closing this as won't fix? The https management interface will not allow one to disable SSLv3. Setting TLSv1 does not exclude SSLv3. The work-arouns, using stunnel per the documentation, is a work-around. It does not resolve the root issue. In the case of my application, I don't have control of running stunnel.
We are using Wildfly 8.0 server with management interface. As the issue description says we are not able to disable SSLv3. And stunnel is not an option for us. Since this issue is closed as 'CLOSED WONTFIX', is it something else can be done to disable SSLv3