Since Java 8 Update 31 the SSL 3 protocol is disabled by default due to security flaws in the SSL Protocol (see POODLE attack).
Even if not recommended, how can it be enabled?
Since Java 8 Update 31 the SSL 3 protocol is disabled by default due to security flaws in the SSL Protocol (see POODLE attack).
Even if not recommended, how can it be enabled?
If you must re-enable SSLv3.0 on either 8u31, 7u75, 6u91 all you have to do is comment out the following line in JRE_HOME/lib/security/java.security:
jdk.tls.disabledAlgorithms=SSLv3
Code:
import javax.net.ssl.*;
public class SocketProtocols {
public static void main(String[] args) throws Exception {
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket soc = (SSLSocket) factory.createSocket();
// Returns the names of the protocol versions which are
// currently enabled for use on this connection.
String[] protocols = soc.getEnabledProtocols();
System.out.println("Enabled protocols:");
for (String s : protocols) {
System.out.println(s);
}
}
}
Output:
Before enabling SSL 3.0
$ /jdk1.8.0_31/bin/java SocketProtocols
Enabled protocols:
TLSv1
TLSv1.1
TLSv1.2
After enabling SSL 3.0
$ /jdk1.8.0_31/bin/java SocketProtocols
Enabled protocols:
SSLv3
TLSv1
TLSv1.1
TLSv1.2
credits/source: http://javablogx.blogspot.de/2015/02/enabling-ssl-v30-in-java-8.html
Unless you have no choice other than using SSL 3, the link below explains the configuration.
The release notes for the update 31 provide information for enabling the SSL 3 again in Java.
As stated:
Keep in mind that even the TLS protocol can be exploited to allow an insecure access with SSL 3, thats also part of the POODLE flaw. Enabling this for Java or any other technology should be a last resort only for critical reasons.