Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91 and above), the Java Runtime Environment has SSLv3 disabled by default. If you have verified that you are running those releases or later then no further action should be necessary.

For previous releases, Oracle has provided background and instructions below for disabling SSLv3 for applets and Web Start, as well as detailed instructions for developers and system adminiustrators on OTN on how to prevent Java applications from using SSL v3.0 in Java SE in all the situations where Java is used.

Background

The POODLE vulnerability (CVE-2014-3566) exposed a severe flaw in the Secure Socket Layer (SSL) v3 protocol. The SSLv3 protocol is no longer recommended and has been disabled for use in the Java Runtime Environment as noted above. Users who absolutely need to re-enable SSLv3 should refer to the appropriate Release Notes.

Most users however only use Java in the browser (Applets and WebStart). Below are simpler instructions on how to check if SSL 3.0 is enabled (and how to disable it).

Disable SSLv3 for Applets and WebStart

The Oracle Java implementations of Plugin and WebStart can be configured using the Java Control Panel.

Under the Advanced tab, Advanced Security Settings section, deselect all SSL protocols/format leaving only TLS enabled as shown below (Starting with the January 20, 2015 release, SSLv3 no longer appears as a selectable option).

Note: Changes done through the Control Panel while a browser is open will take effect only after the browser is restarted. Java WebStart Applications must also be restarted for changes to take effect.

Java Control Panel - Versions prior to 8u31, 7u75 and 6u91

More information on the January 2015 Critical Patch Update release can be found in the appropriate release notes.

• Java 8 Update 31 (OTN release notes)
• Java 7 Update 75 (OTN release notes)
• Java 6 Update 91 (OTN release notes)