Thanks for visiting the site !!! Visit below intrested Ads to support us if you like the site .Sharing is caring .keep distance and keep safe . Happy Learning ... 😀

How to change/configure TLS/SSL protocols in Weblogic

TLS 1.2 is the default minimum protocol version configured in WebLogic Server 14.1.1.  TLS 1.3 support is available in WebLogic Server versions that are certified with Java SE implementations supporting TLS 1.3 in JSSE. e.g., TLS 1.3 support is available in WebLogic Server 14.1.1 when using Java SE 11 or JDK 8 u261+.

Note that  TLS 1.3 support is available in WebLogic Server 12.2.1.4 or 12.2.1.3 with JDK 8 u261+.

We can disable old version by setting up minimum supported protocol in JAVA_OPTS

-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

Note the above setting is only affects inbound connections. If we have an application on Weblogic making outbound call to other applicaiton (ex Ldap ) then look for below section .

For Outbound Connections

To control the outbound connections the following JAVA_OPTIONS system property is available:

Example to allow all TLS protocols for the most common SSLSocket or SSLSocketFactory classes:

-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2
Applications using the HttpsClient or HttpsURLConnection classes can use the https.protocols system property:

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

You should also disable SSLv2 Client Hello in WLS startup scripts:

-Dweblogic.ssl.SSLv2HelloEnabled=false

The jdk.tls.client.protocols system property is available since 7u95 and 6u121 to be able to set this. All versions of JDK 8 support this. In other words, older JDK versions only support TLS 1.0 for outbound client connections.

A common method to test is by setting options on your browser and testing one protocol at a time. If you only want TLS 1.2 to work, then disable all other protocols in your browser settings.

If you have openssl on your system, you can test to ensure what you have configured is working with the following commands to connect:

openssl s_client -connect <hostname:port> -ssl3

openssl s_client -connect <hostname:port> -tls1

openssl s_client -connect <hostname:port> -tls1_1

openssl s_client -connect <hostname:port> -tls1_2

openssl s_client -connect <hostname:port> -tls1_3

If the connectivity is successful then it will give the output with Connected result with the printed certificate from the server followed by the cipher that it used to handshake and also the trusted certs available from the server .

With the result we can conclude the protocols enabled on the Weblogic particular port .

For testing particular cipher suites, check the -cipher option. For example:

$openssl s_client -host localhost -port 8080 -cipher DES-CBC-SHA

I am just trying above syntax to connect to goole.com . see below .

openssl s_client -host google.com -port 443 -cipher ECDHE-RSA-CHACHA20-POLY1305

CONNECTED(00000006)

depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

verify return:1

depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1

verify return:1

depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

verify return:1

depth=0 CN = *.google.com

verify return:1

Certificate chain

 0 s:/CN=*.google.com

   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3

 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3

   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1

 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1

   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Server certificate

—–BEGIN CERTIFICATE—–

MIIOGzCCDQOgAwIBAgIQdQLMPmhZMrgKAAAAAPK67DANBgkqhkiG9w0BAQsFADBG

MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM

QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMTA3MTIwMTM0MzNaFw0yMTEwMDQw

MTM0MzJaMBcxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEB

BQADggEPADCCAQoCggEBAMNgW34BrUmIE37AzRZfN/mSHBIeZGzW68iG54rIbl6H

HbaO3Yk5pbrVMWkg+HK4ItjlRiA0XRK1wuFGwktLnbtcjEfxDWwjA5OsD3jtUmLb

y7aV2SMu7ql9kfOqP9F3unm8/Pp+PmkudDSb79FHgIaDzgurmS2SVzE2ey5bs5Ks

CZ+P9FUCMYoZ48B3ewf+Rl/3kH68oN6JUYCzcvN3qp2CkAh5bsA5DtK5/w/hn4xK

XErdCI7h5bXmNBFZuehIYkki3u83vsG40Pzv+/GTDGcQdsQRChBWz/r9EN8va8TW

eNZS5820zvOqDfqWnpBHL07CtfzHUpbX7UmN4bHEUS0CAwEAAaOCCzIwggsuMA4G

A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA

MB0GA1UdDgQWBBSfo5qDzKzim6vOOQijS7XXQiatgzAfBgNVHSMEGDAWgBSKdH+v

hc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0

dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3Br

aS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjCCCOIGA1UdEQSCCNkwggjVggwq

Lmdvb2dsZS5jb22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CCSouYmRuLmRldoIS

Ki5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNlLmdvb2dsZS5jb22CGCou

ZGF0YWNvbXB1dGUuZ29vZ2xlLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs

gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr

gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t

LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu

Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l

c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n

bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMu

Y29tgg8qLmdvb2dsZWFwaXMuY26CESouZ29vZ2xldmlkZW8uY29tggwqLmdzdGF0

aWMuY26CECouZ3N0YXRpYy1jbi5jb22CEiouZ3N0YXRpY2NuYXBwcy5jboIPZ29v

Z2xlY25hcHBzLmNughEqLmdvb2dsZWNuYXBwcy5jboIMZ2tlY25hcHBzLmNugg4q

LmdrZWNuYXBwcy5jboISZ29vZ2xlZG93bmxvYWRzLmNughQqLmdvb2dsZWRvd25s

b2Fkcy5jboIQcmVjYXB0Y2hhLm5ldC5jboISKi5yZWNhcHRjaGEubmV0LmNuggt3

aWRldmluZS5jboINKi53aWRldmluZS5jboIRYW1wcHJvamVjdC5vcmcuY26CEyou

YW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2plY3QubmV0LmNughMqLmFtcHByb2pl

Y3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIZKi5nb29nbGUtYW5h

bHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CGSouZ29vZ2xl

YWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZhZHMtY24uY29tghMqLmdvb2dsZXZh

ZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNvbYITKi5nb29nbGVhcGlzLWNuLmNv

bYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcqLmdvb2dsZW9wdGltaXplLWNuLmNv

bYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRvdWJsZWNsaWNrLWNuLm5ldIIYKi5m

bHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcuZG91YmxlY2xpY2stY24ubmV0ghFk

YXJ0c2VhcmNoLWNuLm5ldIITKi5kYXJ0c2VhcmNoLWNuLm5ldIIdZ29vZ2xldHJh

dmVsYWRzZXJ2aWNlcy1jbi5jb22CHyouZ29vZ2xldHJhdmVsYWRzZXJ2aWNlcy1j

bi5jb22CGGdvb2dsZXRhZ3NlcnZpY2VzLWNuLmNvbYIaKi5nb29nbGV0YWdzZXJ2

aWNlcy1jbi5jb22CF2dvb2dsZXRhZ21hbmFnZXItY24uY29tghkqLmdvb2dsZXRh

Z21hbmFnZXItY24uY29tghhnb29nbGVzeW5kaWNhdGlvbi1jbi5jb22CGiouZ29v

Z2xlc3luZGljYXRpb24tY24uY29tgiQqLnNhZmVmcmFtZS5nb29nbGVzeW5kaWNh

dGlvbi1jbi5jb22CFmFwcC1tZWFzdXJlbWVudC1jbi5jb22CGCouYXBwLW1lYXN1

cmVtZW50LWNuLmNvbYILZ3Z0MS1jbi5jb22CDSouZ3Z0MS1jbi5jb22CC2d2dDIt

Y24uY29tgg0qLmd2dDItY24uY29tggsybWRuLWNuLm5ldIINKi4ybWRuLWNuLm5l

dIIUZ29vZ2xlZmxpZ2h0cy1jbi5uZXSCFiouZ29vZ2xlZmxpZ2h0cy1jbi5uZXSC

DGFkbW9iLWNuLmNvbYIOKi5hZG1vYi1jbi5jb22CDSouZ3N0YXRpYy5jb22CFCou

bWV0cmljLmdzdGF0aWMuY29tggoqLmd2dDEuY29tghEqLmdjcGNkbi5ndnQxLmNv

bYIKKi5ndnQyLmNvbYIOKi5nY3AuZ3Z0Mi5jb22CECoudXJsLmdvb2dsZS5jb22C

FioueW91dHViZS1ub2Nvb2tpZS5jb22CCyoueXRpbWcuY29tggthbmRyb2lkLmNv

bYINKi5hbmRyb2lkLmNvbYITKi5mbGFzaC5hbmRyb2lkLmNvbYIEZy5jboIGKi5n

LmNuggRnLmNvggYqLmcuY2+CBmdvby5nbIIKd3d3Lmdvby5nbIIUZ29vZ2xlLWFu

YWx5dGljcy5jb22CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22C

Emdvb2dsZWNvbW1lcmNlLmNvbYIUKi5nb29nbGVjb21tZXJjZS5jb22CCGdncGh0

LmNuggoqLmdncGh0LmNuggp1cmNoaW4uY29tggwqLnVyY2hpbi5jb22CCHlvdXR1

LmJlggt5b3V0dWJlLmNvbYINKi55b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlv

bi5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CD3lvdXR1YmVraWRzLmNvbYIR

Ki55b3V0dWJla2lkcy5jb22CBXl0LmJlggcqLnl0LmJlghphbmRyb2lkLmNsaWVu

dHMuZ29vZ2xlLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29vZ2xlLmNughxkZXZl

bG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNughhzb3VyY2UuYW5kcm9pZC5nb29nbGUu

Y24wIQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAz

MDGgL6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvUU92SjBOMXNUMkEu

Y3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfYqP4owNrm

gr7YyzG1P9MzlrW2gagAAAF6mJDzogAABAMARzBFAiANdJBh+kTU7M1C4BZpA+B1

hTpwX63DH+KwmB+i/YE3sAIhAPwhTKnf0iKUZbG8XOg5UkqQVrKcYsQHoZdbk0vg

lCSzAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6mJDzRQAA

BAMARzBFAiB+XxzOP2Sx/uBYzVTceFLMXxGjSMaC/+e6uab8hcXFtAIhAKyvvWjg

72xhI1GuF4siUFxK9RUUsxE2y0dlfwYtWujwMA0GCSqGSIb3DQEBCwUAA4IBAQA1

abfkRykEV/IAW3klNg79KMvTMV393m2AmSLDL5sC2q+hrGKg8h9AdGld62Zh/t6z

DEutkKS7ruQY6XJwSwdjMuBPtHFgK1uJByA+pMpDTZOjFvn5RpRzAoyYgACax/ot

VHPReSa88lXVzKMJEV94Jyt7E8a/tXLlktVCpTikx6OhkTNgQzdHXiZUON7PpkME

BgcSqPSL+A2rCJTtfz0aUhMx6K2LePwJ6OVXnNNNdpa54bODmwZoEYLaXsdigLt8

vScP3QU4gY9IP6AzCF0+/AJKHqMbA7GXhNYQaTPBjIq+cEB2FCxblJbWqOUDsCzH

fE3sf52FLu+/73n4rQl0

—–END CERTIFICATE—–

subject=/CN=*.google.com

issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3

No client certificate CA names sent

Server Temp Key: ECDH, X25519, 253 bits

SSL handshake has read 7109 bytes and written 193 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-CHACHA20-POLY1305

    Session-ID: 1630E8BADA695317F0F520D063E096E9DFD33A49734DC63294B12C0EF6922C5D

    Session-ID-ctx: 

    Master-Key: 459A743C7C4D3885F030F3638A512AB874F2A5B45EB07EC15D513C3E83EAC8FB3E32976071FD97CE24B970EEE7137F89

    TLS session ticket lifetime hint: 100800 (seconds)

    TLS session ticket:

    0000 – 01 86 94 66 e7 46 45 37-7a b1 e8 4a 3c d7 da 89   …f.FE7z..J<…

    0010 – 00 f6 d7 b7 a8 f4 bb fa-36 7a 45 57 27 15 db e6   ……..6zEW’…

    0020 – 3b d3 bc c0 1d 05 df 52-5a 35 db 6e 34 72 88 18   ;……RZ5.n4r..

    0030 – 69 cc b1 b1 9b 71 1d 67-26 6f 64 19 ad eb 3e 42   i….q.g&od…>B

    0040 – 5b 75 1a 25 c7 1e 60 a2-85 bd 24 84 7c 40 ea 7e   [u.%..`…$.|@.~

    0050 – a3 f4 00 15 1c 4c 5d 8d-ab c1 99 9f e0 cf 2d 7f   …..L]…….-.

    0060 – 3b 83 2f 5f 7d 06 04 6f-23 6d 04 50 42 a7 d0 0c   ;./_}..o#m.PB…

    0070 – e4 38 02 cf e7 b4 20 48-02 ab eb 60 00 44 21 73   .8…. H…`.D!s

    0080 – 9d 28 ba 86 4b 8d 10 45-74 77 03 7a 52 29 9c 1c   .(..K..Etw.zR)..

    0090 – c4 d0 94 55 37 a1 59 b1-e6 90 bc 63 d7 1a ea 13   …U7.Y….c….

    00a0 – 81 d6 f9 ef b8 11 84 e8-8f 99 93 f1 30 41 18 96   …………0A..

    00b0 – 8f 8b 62 b2 7b 8f 52 bf-db a3 07 cf 51 20 8f 0c   ..b.{.R…..Q ..

    00c0 – f5 13 ae 0d be c3 b0 96-44 64 83 22 13 e0 4b 6e   ……..Dd.”..Kn

    00d0 – b5 76 42 9f 3b bd b0 81-01 43 53 94 9a            .vB.;….CS..

    Start Time: 1628603903

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

read:errno=0

Yes openssl ssl able to connect over SSL with the given cipher successfully . Like this we can test any server and port with cipher and protocol .

Happy Learning !!!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *