Disabling SSL3 in BridgeGate should be pretty straightforward. The server/conf/server.xml file contains a block that describes the SSL port configuration. Specifically, there is a setting that indicates the protocol, which by default reads sslProtocol=”TLS”. Apparently, this is not entirely true,because it will roll back to SSL3.
To get around this, you must specify the enabled protocols. You can set this using the sslEnabledProtocols setting in that block, as shown in this configuration:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
sslProtocols = "TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="C:/certificates/keystore.jks"
keystorePass="P@55w0rD" />
This is slightly different in BridgeGate 6. The sslEnabledProtocols configuration was added in Tomcat 7, but there is an undocumented similar setting for BG6. In the jboss/server/bridgegate/system/jbossweb-tomcat55.sar/server.xml file, add the protocols option as in the following:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="300" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="keystore.jks"
keystorePass="password" sslProtocol = "TLS" protocols="TLSv1,TLSv1.1"/>
If you have openssl installed on your system, you can verify SSL3 is disabled by running the following:
openssl s_client -ssl3 -connect <host>:8443
While the following should work:
openssl s_client -tls1 -connect <host>:8443