We should disable SSLv3 to protect against the POODLEbleed vulnerability.
We have sslProtocol="TLS" set to only allow TLS in ssl-server.xml, but when I checked, I could still connect with SSLv3. From what I can tell, there's some ambiguity in the tomcat configs between sslProtocol, sslProtocols, and sslEnabledProtocols so we probably have the wrong thing here.
- is related to
OOZIE-2037 Add TLSv1.1,TLSv1.2