We’re sorry. We could not find a match for your search.
We suggest you try the following to help find what you’re looking for:
Check the spelling of your keyword search.
Use synonyms for the keyword you typed, for example, try "application" instead of "software."
Start a new search.
Applies to
Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91, Oracle JRockit 28.3.5, Oracle JRockit R27.8.5, and above) the Java Runtime Environment has SSLv3 disabled by default.
Oracle JRockit 28.3.5 and R27.8.5 users - please follow the instructions for Java 6 users.
To re-enable SSLv3.0 please visit the appropriate release notes:
This document explains how to disable SSL v3.0 in earlier versions:
For details on the issue that this instructions address visit
SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
Summary
The Oracle Java Runtime supports various versions of the SSL/TLS protocol, such as SSLv3, TLSv1, TLSv1.1, and TLSv1.2.
Here are the available protocols on each platform.
See how to
Disable SSLv3 for Applets and WebStart below
Client applications using HTTPS from the command line
java -Dhttps.protocols="TLSv1" <MyApp>
Developers using HTTPS - Client
java.lang.System.setProperty("https.protocols", "TLSv1");
Developers using JSSE APIs - Client
sslSocket.setEnabledProtocols(new String[] {"TLSv1"});
sslEngine.setEnabledProtocols(new String[] {"TLSv1"}); Developers using JSSE APIs - Server
JDK 5/6
JDK 7
sslSocket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
Java Applets/WebStart See how to
Disable SSLv3 for Applets and WebStart
below
Client applications using HTTPS from the command line
java -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2" -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" <MyApp>
Developers using HTTPS - Client
java.lang.System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
Developers using JSSE APIs - Client
sslSocket.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
sslEngine.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
Developers using JSSE APIs - Server
sslSocket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
The Oracle Java implementations of Plugin and WebStart can be configured using the Java Control Panel.
Under the "Advanced" tab, "Advanced Security Settings" section, deselect all SSL protocols/format leaving only TLS enabled as shown below.
Note
:
Changes done through the Control Panel while a browser is open will take effect only after the browser is restarted.
Java WebStart Applications must also be restarted for changes to take effect.
Additional Notes
- For more information about a TLS vulnerability related to POODLE disclosed in December 2014, please see the NOTE section on the
SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
page.
- The java.lang.System property, "https.protocols", is used by the java.net.URL HTTPS protocol handler to set the enabled protocols on new connections.
- There is no general System or Security property to disable a specific protocol for applications using the javax.net.ssl.SSLSocket and javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client side.)
- To dynamically remove SSLv3 from the list of enabled protocols, use the following code snippet:
SSLSocket sslSocket = sslSocketFactory.createSocket(...);
// Strip "SSLv3" from the current enabled protocols.
String[] protocols = sslSocket.getEnabledProtocols();
Set<String> set = new HashSet<>();
for (String s : protocols) {
if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
continue;
set.add(s);
sslSocket.setEnabledProtocols(set.toArray(new String[0]));
The procedure is similar for the SSLEngine API.
- On JDK 8+ for the client only, the System Property "jdk.tls.client.protocols" can also be used to set the enabled client protocol list created by the "Default" or "TLS" javax.net.ssl.SSLContexts. For example:
SSLContext ctx;
ctx = SSLContext.getDefault();<
ctx = SSLContext.getInstance("TLS");
This property must be set before the JSSE mechanism is loaded by the system.
Statically:
% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp
Dynamically:
"jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");
Note the "jdk.tls.client.protocols" Property does not work for specific SSLContext versions (i.e. SSLContext.getInstance("TLSv1"), or on JDK 7 or earlier.
- "SSLv2Hello" is a special pseudo-protocol that controls whether the initial SSL/TLS client message is packaged using the older SSLv2 format or the standard newer (v3+) format. It is not a real protocol, it is strictly a compatibility mechanism from the early days of SSL/TLS.
Enabling "SSLv2Hello" on the server side allows the inbound connection to use either format. If "SSLv2Hello" is specified as an enabled Protocol on the client side, the server MUST be prepared to accept it (i.e. "SSLv2Hello" or equivalent) or else the SSL/TLS negotiation WILL FAIL. This applies for servers of any type, including those based on other SSL/TLS implementations. See the appropriate documentation for the details on how to enable/disable the SSL 2.0-compatible ClientHello format on the client and/or server if necessary.
JDK 5/6 enables SSLv2Hello by default on both the client and server sides. (Will send and receive SSLv2Hellos)
JDK 7-9 enables SSLv2Hello on the server side only. (Will not send, but will accept SSLv2Hellos)
