Overriding the SSL protocol defined by the default SSL socket factory

If your application does not explicitly configure an SSL socket factory, the default SSL socket factory is used, and specifies a protocol. You can use a system property to override this protocol.

To improve security, SSL socket factories should be explicitly configured instead of using the default SSL socket factory. The use of system properties to configure SSL socket factories is not recommended. However, the system property com.ibm.jsse2.overrideDefaultProtocol can be specified to set a different SSL protocol at run time.
com.ibm.jsse2.overrideDefaultProtocol=<option>
Where <option> sets the default enabled protocol to one of the following values:
  • SSLv3: sets SSL V3.0 (See Note)
  • SSL_TLS: sets SSL V3.0 (See Note) and TLS 1.0
  • SSL_TLSv2: sets SSL V3.0 (See Note), TLS 1.0, TLS 1.1, and TLS 1.2
  • TLS: sets Start of changes for service refresh 8 fix pack 30TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 End of changes for service refresh 8 fix pack 30(only TLS 1.2 from service refresh 7 onwards until service refresh 8, fix pack 30 and only TLS 1.0 in releases before service refresh 7)
  • TLSv1: sets TLS 1.0
  • TLSv11: sets TLS 1.1
  • TLSv12: sets TLS 1.2
  • Start of changes for service refresh 7TLSv13: sets TLS 1.3 (which requires the IBMJCEPlus provider) End of changes for service refresh 7
If a value is not set, the system default SSL protocol is used.
Note: The SSL V3.0 protocol is disabled by default due to the POODLE security vulnerability. For more information, see Padding Oracle On Downgraded Legacy Encryption (POODLE) security vulnerability
For information about setting system properties, see How to Specify a java.lang.system Property.
This system property cannot be specified with the following system properties:
  • com.ibm.jsse2.JSSEFIPS
  • com.ibm.jsse2.SP800-131
  • com.ibm.jsse2.suiteB