+++ This bug was initially created as a clone of Bug #1153853 +++ This issue was reported to Product Security by Tom Fonteyne. The current configuration options exposed for ssl, does not allow for protocols to be excluded. The following configuration still allows SSLv3: > <server-identities> > <ssl protocol="TLSv1"> > <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" /> > </ssl> > </server-identities> The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3. > <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true"> > <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" /> > </connector> This ability is important to prevent attacks like POODLE.
QE ACK granted
Verified with EAP 6.4.0.DR8