SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by
allowing two applications connecting over a network to authenticate each
other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 10.3.6 is an implementation SSL 3.0
and Transport Layer Security (TLS) 1.0 specifications.
Certicom is currently the default SSL implementation in
Weblogic Server.
JSSE may be enabled as an alternative SSL implementation.
So why disable SSL 2.0/3.0?
Oracle WebLogic Server should configured exclude
SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This
often comes as a direction from security teams. The recommended protocols are
TLS 1.0 and preferably TLS 1.2 which is more recent.
What protocol to use if not SSL 2.0/3.0?
Transport layer Protocol (TLS) 1.0 and preferably 1.1 or 1.2.
Key Question 1 - So what configurations would a Middleware Admin
make to disable SSL V2/V3 support on Weblogic and enable TLS protocols which
are safer and recommended by Oracle?
Key Question 2 - How do we enable Weblogic to use TLS 1.0 and
above SSL protocol for inbound and outbound connections?
Let’s try and answer
it.
Now assuming the Weblogic version is 10.3.6 and
JDK used is 1.7 plus below is some facts to know and consider before making
changes.
•
Before 10.3.3 (11g),
Certicom SSL was the only SSL implementation.
•
In 10.3.3 thru 10.3.6
(11g), Certicom SSL is the default SSL implementation, with JSSE
available by enabling a property switch.
•
TLS 1.1 and 1.2 is
supported with a combination of JDK 7 Update 1 (or later) and JSSE
enabled
•
TLS 1.0 is supported on
all releases using either Certicom or JSSE implementation
•
Weblogic Server versions
10.3.6 and 12.1.1 and later are certified with JDK 7 in order to enable
JSSE and TLS 1.1/1.2
Inbound
Dweblogic.security.SSL.protocolVersion=TLS1
The interpretation of this property is different depending
on whether the Certicom or JSSE implementation is used.
q For Certicom, setting
-Dweblogic.security.SSL.protocolVersion=TLS1 enables only TLS 1.0.
q For JSSE, setting
-Dweblogic.security.SSL.protocolVersion=TLS1 enables any protocol starting with
"TLS", for example TLS 1.0, TLS 1.1, and TLS 1.2.
You may also disable older protocols by configuring a higher
minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported
by the JDK version), use the following as a JAVA_OPTION:
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1
Outbound
To enable it, you need to use the following -D flags :
-Dhttps.protocols="TLSv1.2“
Or as a list of
choices (handshake is first attempted at the highest level protocol):
-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
You may also disable older protocols by configuring a higher
minimum protocol.
Add
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
You may also have applications running as a client, (e.g.
web services, scripts, or command line) for an outbound ssl connection. Within
a Fusion Middleware environment there are also internal processes running where
an ssl connection is made, (e.g. OPMN, DMS, EM/FMW Control). To control the
outbound connections the following system property is available:
-Djdk.tls.client.protocols=TLSv1.0,TLSv1.1,TLSv1.2
-Djdk.tls.client.protocols=TLSv1.0,TLSv1.1,TLSv1.2
Hope this post has been helpful to you. I have tried answering the two questions I put to start our discussion.
For understanding the changes needed for disabling SSL V2/3 or enabling TLS on Weblogic
12C/JDK8 please refer here
Made the above changes and still not able to connect using TLS 1.2? Do you get the below error ?
"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
In case yes please refer to to the solution here.
Made the above changes and still not able to connect using TLS 1.2? Do you get the below error ?
"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
In case yes please refer to to the solution here.
Please feel free to ask any questions you may
have in the comment section. Keep learning and spread the word!
Soumya
