Thanks for visiting the site !!! Visit below intrested Ads to support us if you like the site .Sharing is caring .keep distance and keep safe . Happy Learning ... 😀

Mitigate the SSLv3 Vulnerability (“POODLE Attack”) in Oracle Weblogic

A security vulnerability affecting SSL v3.0 was publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”).  This security vulnerability is the result of a design flaw in SSL v3.0. This vulnerability has received the identifier CVE-2014-3566.

Disable SSLv3 protocol to close the above Security fix .

TLS 1.2 is the default minimum protocol version configured in WebLogic Server 14.1.1. TLS 1.3 support is available in WebLogic Server versions that are certified with Java SE implementations supporting TLS 1.3 in JSSE. e.g., TLS 1.3 support is available in WebLogic Server 14.1.1 when using Java SE 11 or JDK 8 u261+.

Oracle WebLogic Server does not support SSL 2.0 and TLS 1.1 is the default minimum. You may set the weblogic.security.SSL.protocolVersion or weblogic.security.SSL.minimumProtocolVersion to customize as per the 12.2.1 Documentation. (e.g, if you wanted TLS 1.0 or 1.2 to be a minimum. Note that TLS 1.3 support is available in WebLogic Server 12.2.1.4 or 12.2.1.3 with JDK 8 u261+.

All versions of WebLogic Server (8.1 and up) allow SSL 2.0 and SSL 3.0 to be disabled with the following parameter at startup as a JAVA_OPTION because TLS 1.0 is minimally supported on all versions

-Dweblogic.security.SSL.protocolVersion=TLS1

The interpretation of this property is different depending on whether the Certicom or JSSE implementation is used.

For Certicom, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables only TLS 1.0.
For JSSE, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables any protocol starting with “TLS”, for example TLS 1.0, TLS 1.1, and TLS 1.2.

We can disable SSL protocols with below paramerter.

-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

Note this only affects inbound connections.For Outbound connections refer below .

if the weblogic server has an application and making the connection to external server then that is considered as outbound call . To make sure that outbound call will not happens with SSLv3 or to have better control on the protocol then use below

Example to allow all TLS protocols for the most common SSLSocket or SSLSocketFactory classes:

-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2

Applications using the HttpsClient or HttpsURLConnection classes can use the https.protocols system property:

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

See Also: Note 1996254.1 How to Enable TLSv1.2 as the Default Protocol for SSL Connections on Java SE 7 Clients
You should also disable SSLv2 Client Hello in WLS startup scripts:

-Dweblogic.ssl.SSLv2HelloEnabled=false

The jdk.tls.client.protocols system property is available since 7u95 and 6u121 to be able to set this. All versions of JDK 8 support this. In other words, older JDK versions only support TLS 1.0 for outbound client connections.

Testing Connections

A common method to test is by setting options on your browser and testing one protocol at a time. If you only want TLS 1.2 to work, then disable all other protocols in your browser settings.

Alternatively If you have openssl on your system, you can test to ensure what you have configured is working with the following commands to connect:

openssl s_client -connect <hostname:port> -ssl3
openssl s_client -connect <hostname:port> -tls1
openssl s_client -connect <hostname:port> -tls1_1
openssl s_client -connect <hostname:port> -tls1_2

openssl s_client -connect <hostname:port> -tls1_2 -cipher AES256-SHA

SSL_RSA_WITH_AES_256_CBC_SHA openssl cipher AES256-SHA

We can refer URL to get the list of Protocols and ciphers supported Refer Link

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *