<div dir="ltr"><br><div>Ahoy, today I was reading about this &quot;new&quot; vulnerability on TLS (<a href="http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html">http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html</a>). And was wondering if we should blacklist or document broken protocols. Preventing people to deploy Keycloak in non secure environments.</div><div><br></div><div>Something like was already suggested for Poodle here: <a href="http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html">http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html</a></div><div><br></div><div>Snippet:</div><br><br><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">SSLSocket sslSocket = sslSocketFactory.createSocket(...);</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">        // Strip &quot;SSLv3&quot; from the current enabled protocols.</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">        String[] protocols = sslSocket.getEnabledProtocols();</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">        Set&lt;String&gt; set = new HashSet&lt;&gt;();</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">        for (String s : protocols) {</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">             if (s.equals(&quot;SSLv3&quot;) || s.equals(&quot;SSLv2Hello&quot;)) {</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">                continue;</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">            }</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">            set.add(s);</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">        }</span><br style="margin:0px;padding:0px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12.8px;line-height:normal">        sslSocket.setEnabledProtocols(set.toArray(new String[0]));</span><br><br><br>Should we document? Blacklist? Or leave it as is?<div><br></div></div>