Ahoy, today I was reading about this "new" vulnerability on TLS (http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html). And was wondering if we should blacklist or document broken protocols. Preventing people to deploy Keycloak in non secure environments.

Something like was already suggested for Poodle here: http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

Snippet:

SSLSocket sslSocket = sslSocketFactory.createSocket(...);

        // Strip "SSLv3" from the current enabled protocols.
        String[] protocols = sslSocket.getEnabledProtocols();
        Set<String> set = new HashSet<>();
        for (String s : protocols) {
             if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
                continue;
            }
            set.add(s);
        }
        sslSocket.setEnabledProtocols(set.toArray(new String[0]));

Should we document? Blacklist? Or leave it as is?