As a precaution in response to the POODLE SSLv3 vulnerability (described here http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exp...), I want to disable SSLv3 on my server when it acts as a client. To clarify further, my server is already secured. I'm specifically talking about the cases where I use an http client from within my server code to reach out to external services.
I'm trying to accomplish this by setting the jdk.tls.client.protocols system property as described here: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSE.... I'm verifying whether or not the changes have taken effect by running this code within my application:
SSLContext ctx = SSLContext.getDefault();
SSLSocketFactory factory = (SSLSocketFactory)ctx.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
System.out.println(Arrays.toString(socket.getEnabledProtocols()));
Passing jdk.tls.client.protocols into a test standalone java application works (i.e. -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"), but it does not seem to take effect in glassfish. I tried creating a system property and verified by listing it as described here: http://docs.oracle.com/cd/E18930_01/html/821-2416/ghcjc.html. I also tried passing as a jvm option upon startup, but again, no luck. I also verified that the application is seeing the system property via a System.getProperty("jdk.tls.client.protocols").
Does anyone know if glassfish supports this? Am I doing something wrong?