[keycloak-dev] Blacklisting/document broken protocols

Ahoy, today I was reading about this "new" vulnerability on TLS ( http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html). And was wondering if we should blacklist or document broken protocols. Preventing people to deploy Keycloak in non secure environments. Something like was already suggested for Poodle here: http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566... Snippet: SSLSocket sslSocket = sslSocketFactory.createSocket(...); // Strip "SSLv3" from the current enabled protocols. String[] protocols = sslSocket.getEnabledProtocols(); Set<String> set = new HashSet<>(); for (String s : protocols) { if (s.equals("SSLv3") || s.equals("SSLv2Hello")) { continue; } set.add(s); } sslSocket.setEnabledProtocols(set.toArray(new String[0])); Should we document? Blacklist? Or leave it as is?