Disable SSL3 or TLS1 in weblogic and enabling TLS1.1 or TLS1.2 with strong ciphers

by Posted on

Oracle WebLogic Server 12c Release 2 (12.2.1) has brought support for new SSL features and updated standards. webLogic Server does not support SSL 2.0 and TLS 1.1 is the default minimum. You may set the weblogic.security.SSL.protocolVersion or weblogic.security.SSL.minimumProtocolVersion to customize as per the new documentation.

    • Before 10.3.3 (11g), Certicom SSL was the only SSL implementation.
    • In 10.3.3 thru 10.3.6 (11g), Certicom SSL is the default SSL implementation, with JSSE available by enabling a property switch.
    • In 12.1.1 and up (12c), JSSE is the default SSL implementation and Certicom was removed.
    • TLS 1.1 and 1.2 is supported with a combination of JDK 7 Update 1 (or later) and JSSE enabled
    • With JSSE and JDK 7+, higher security defaults are provided (e.g., stronger ciphers)
    • TLS 1.0 is supported on all releases using either Certicom or JSSE implementation
    • Weblogic Server versions 10.3.6 and 12.1.1 and later are certified with JDK 7 in order to enable JSSE and TLS 1.1/1.2

It is recommended to be on 10.3.6 or 12c releases in order to use JSSE to the fullest potential and because only these versions are eligible for error correction support.  There may be unexpected results on previous versions where fixes will not be available.

SSL / TLS Protocol Configuration for Oracle WebLogic Server

All versions of WebLogic Server (8.1 and up) allow SSL 2.0 and SSL 3.0 to be disabled with the following parameter at startup as a JAVA_OPTION because TLS 1.0 is minimally supported on all versions:
-Dweblogic.security.SSL.protocolVersion=TLS1

The interpretation of this property is different depending on whether the Certicom or JSSE implementation is used.

    • For Certicom, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables only TLS 1.0.
    • For JSSE, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables any protocol starting with “TLS”, for example TLS 1.0, TLS 1.1, and TLS 1.2.

You may also disable older protocols by configuring a higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported by the JDK version), use the following as a JAVA_OPTION:
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

Which to use depends on your requirements and support of clients connecting. Some clients may be middleware servers. Not all vendors support TLS 1.1 and up, including some Oracle products and may want to keep TLS 1.0 available for that reason. If using WLS Plugin 12c to proxy to WLS, it supports TLS 1.0, 1.1 and 1.2, but older WLS Plugin versions may only support TLS 1.0.

Note this only affects inbound connections. If you have applications which make a connection to an external resource, see the next section.

Web Services and Client Applications (Outbound Connections)

You may also have applications running as a client, (e.g. web services, scripts, or command line) for an outbound ssl connection. Within a Fusion Middleware environment there are also internal processes running where an ssl connection is made, (e.g. OPMN, DMS, EM/FMW Control). To control the outbound connections the following system property is available:

-Djdk.tls.client.protocols=TLSv1.0,TLSv1.1,TLSv1.2

Testing Connections

openssl s_client -connect <hostname:port> -ssl_3
openssl s_client -connect <hostname:port> -tls1
openssl s_client -connect <hostname:port> -tls1_1
openssl s_client -connect <hostname:port> -tls1_2

openssl s_client -connect <hostname:port> -tls1_2 -cipher AES256-SHA

Alternatively, and more comprehensively, the nmap utility with the ssl-enum-ciphers script installed will list out every protocol and cipher available on the server:

nmap -p <port> –script ssl-enum-ciphers <hostname>

Published by Middleware_Guru

Leave a Reply

Your email address will not be published.