Using embedded Tomcat 8 with Java 8 and I am unable to get the SSLv3 protocol re-enabled. I am unable to hit the web application with Internet Options -> Advanced settings with SSLv3 checked and all others (SSLv2, TLS1.0, TLS1.1, TLS1.2) unchecked. I have tried setting the SSL protocol like so:
httpsConnector.setAttribute("sslProtocol", "SSLv3");
I have also tried setting the SSL protocol like so:
httpsConnector.setAttribute("sslEnabledProtocols", "SSLv3");
I have also added this line to the deployment.properties file to enable SSLv3 in JRE 8
deployment.security.SSLv3=true
Recent JREs disable SSLv3, and rightly so: it's a broken protocol at this point that should be avoided. However, some environments absolutely require support of SSLv3, and it is possible to do.
First, you should never disable the higher-level protocols like TLSv1, TLSv1.1, and TLSv1.2. Instead, add SSLv3 to those protocols so that clients with better security can still use the higher-level protocols.
In order to re-enable SSLv3 in the JVM, you'll need to set this system property, possibly at JVM launch-time:
-Djdk.tls.disabledAlgorithms=
(Note there is no value there.)
You will also need to do the same type of thing you have done already above, where you set sslEnabledProtocols and sslProtocol, but, again, please don't disable the higher-level protocols.
UPDATE 2017-06-21
For Tomcat 8.5 and 9.0, SSLv3 has been hard-coded to be disabled and requires a source patch and re-build in order to re-enable it, up through at least Tomcat 8.5.15 and Tomcat 9.0.0.M21. There is currently some discussion about removing that prohibition in Tomcat 8.5 and 9.0.
UPDATE 2017-06-22
SSLv3 will no longer be blacklisted as of Tomcat 8.5.17 and Tomcat 9.0.0.MR23.