Since Java 8 Update 31 the SSL 3 protocol is disabled by default due to security flaws in the SSL Protocol (see POODLE attack).
Even if not recommended, how can it be enabled?
In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK. Restart your Windows server. You have successfully disabled the SSL v3 protocol.
'SSLv2Hello' is a pseudo-protocol which allows Java to initiate the handshake with an SSLv2 'hello message'. This does not cause use of the SSLv2 protocol, which is not supported by Java at all. And from the JSSE Reference Guide: The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0.
Unless you have no choice other than using SSL 3, the link below explains the configuration.
The release notes for the update 31 provide information for enabling the SSL 3 again in Java.
As stated:
If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.
Keep in mind that even the TLS protocol can be exploited to allow an insecure access with SSL 3, thats also part of the POODLE flaw. Enabling this for Java or any other technology should be a last resort only for critical reasons.
You can set the jdk.tls.disabledAlgorithms
security property at runtime like so.
static {
Security.setProperty("jdk.tls.disabledAlgorithms", "");
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With