Is it possible to disable SSLv3 for all Java applications?

Question

Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.

Is there a way to disable SSLv3 for all Java based applications (server and client) on a computer without having to modify every Java program?

May be there is a possibility to change the configuration of the JRE or using a special environment variable.

Does anybody know such a way?

Answer 1

You have not specified the version of Java because below Java 8 there is no way to disallow or disable specific SSL protocol but in Java 8 you can set the enabled protocols like following

Statically:

% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp

Dynamically:

java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");

If you are still using java 7 or below try to use work around explained Instructions to disable SSL v3.0 in Oracle JDK and JRE

I just implemented following piece of code to disallow SSLv3 and SSLv2Hello on one of our Java6 application.

if(disabledSSLProtocols != null) {

    String[] protocols = sslEngine.getEnabledProtocols();
    List<String> protocolList = new ArrayList<String>();

    for (String s : protocols) {

        if (disabledSSLProtocols.contains(s)) {

            log4j.info("{} protocol is disabled", s);
            continue;
        }

        log4j.info("{} protocol is enabled", s);
        protocolList.add(s);
    }

    sslEngine.setEnabledProtocols(protocolList.toArray(new String[0]));
}

Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello

Answer 2

Take a look at http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html

Relevant part:

Renegotiations can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before the JSSE library is initialized. There are several ways to set this property: Command Line: % java -Dsun.security.ssl.allowUnsafeRenegotiation=true Main Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment. Within the application: java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true); Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.

It explains the issue and the fix.