Details

The sslProtocol setting determines which protocol Tomcat will use to protect traffic. It is recommended that sslProtocol attribute be set to TLS.

Rationale:

The TLS protocol does not contain weaknesses that affect other secure transport protocols, such as SSLv1 or SSLv2. Therefore, TLS is leveraged to protect the confidentiality and integrity of data while in transit.

Solution

In server.xml, set the sslProtocol attribute to TLS for Connectors having SSLEnabled set to true.

…
sslProtocol=’TLS’
…
/>

In Tomcat 8.5.x using JSSE, set it to TLS or alternatively remove it.

…
…
sslProtocol=’TLS’
…
/>

References:

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-8
• 800-53|SC-12
• CSCv7|14.4
• CSCv7|18.5

Source

• Tenable.com/audits