This answer to the Java version of this question – How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack – covers how to do this, but what's the equivalent minimal code to do the same for a Clojure web application using Ring and the Ring Jetty adapter, which uses embedded Jetty version 7?
Here's what I added to the namespace file containing my project's -main function:
(defn is-jetty-ssl-connector?
[^org.eclipse.jetty.server.Connector c]
(= (.getName (type c)) "org.eclipse.jetty.server.ssl.SslSelectChannelConnector"))
(defn jetty-configurator
[jetty-server]
(doseq [c (filter is-jetty-ssl-connector? (.getConnectors jetty-server))]
(.addExcludeProtocols (.getSslContextFactory c) (into-array String ["SSLv3"]))))
Added to the options map of the jetty/run-jetty function call in my -main function:
:configurator jetty-configurator
I confirmed that this seems to work using a cURL command like the following:
curl -v3 -X HEAD https://localhost:443