Is it possible to disable SSLv3 for all Java applications?
Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.
Is there a way to disable SSLv3 for all Java based applications (server and client) on a computer without having to modify every Java program?
May be there is a possibility to change the configuration of the JRE or using a special environment variable.
Does anybody know such a way?
Answer
You have not specified the version of Java because below Java 8 there is no way to disallow or disable specific SSL protocol but in Java 8 you can set the enabled protocols like following
Statically:
% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp
Dynamically:
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");
If you are still using java 7 or below try to use work around explained Instructions to disable SSL v3.0 in Oracle JDK and JRE
I just implemented following piece of code to disallow SSLv3 and SSLv2Hello on one of our Java6 application.
if(disabledSSLProtocols != null) {
String[] protocols = sslEngine.getEnabledProtocols();
List<String> protocolList = new ArrayList<String>();
for (String s : protocols) {
if (disabledSSLProtocols.contains(s)) {
log4j.info("{} protocol is disabled", s);
continue;
}
log4j.info("{} protocol is enabled", s);
protocolList.add(s);
}
sslEngine.setEnabledProtocols(protocolList.toArray(new String[0]));
}
Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello