Andrew, On 11/18/14 2:58 PM, Andrew Carr wrote: > Chris, > > Thank you for the response. I will include the full stack trace next time. > >> >> >> >> Note that, like polio, SSLv2 has been wiped from the face of the planet. >> >> This is not an error. This will not impact anyone of consequence. >> >> You may be looking for "SSLv2Hello". >> >> -chirs >> >> >> > You said that I might be looking for SSLv2Hello, but I am not. My point > is not the use of SSLv2 because it would be wise, but the fact that the > list of protocols on the Oracle page includes SSLv2.
It most certainly *does not*: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider SSLv2 is dead, dead, dead. > This list is referred > to by the tomcat configuration documentation, which would lead someone to > believe this is a valid setting. Maybe we just add a note about SSLv2? There are notes everywhere that SSLv2 is not trusted. > Maybe it's not important? Not really. Anyone wanting to use SSLv2 should experience abject failure. -chris
signature.asc
Description: OpenPGP digital signature
