Saturday, July 29, 2017

Disabling SSL 2.0/3.0 and enabling TLS 1.0 or higher in Weblogic 10.3.6 & JDK 7

SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 10.3.6 is an implementation SSL 3.0 and Transport Layer Security (TLS) 1.0 specifications.
Certicom is currently the default SSL implementation in Weblogic Server.
JSSE may be enabled as an alternative SSL implementation.



So why disable SSL 2.0/3.0?
Oracle WebLogic Server should configured exclude SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This often comes as a direction from security teams. The recommended protocols are TLS 1.0 and preferably TLS 1.2 which is more recent.

What protocol to use if not SSL 2.0/3.0?
Transport layer Protocol (TLS) 1.0 and preferably 1.1 or 1.2.
Key Question 1 - So what configurations would a Middleware Admin make to disable SSL V2/V3 support on Weblogic and enable TLS protocols which are safer and recommended by Oracle?
Key Question 2 - How do we enable Weblogic to use TLS 1.0 and above SSL protocol for inbound and outbound connections?

Let’s try and answer it.

Now assuming the Weblogic version is 10.3.6 and JDK used is 1.7 plus below is some facts to know and consider before making changes.
      Before 10.3.3 (11g), Certicom SSL was the only SSL implementation.
      In 10.3.3 thru 10.3.6 (11g), Certicom SSL is the default SSL implementation, with JSSE available by enabling a property switch.
      TLS 1.1 and 1.2 is supported with a combination of JDK 7 Update 1 (or later) and JSSE enabled
      TLS 1.0 is supported on all releases using either Certicom or JSSE implementation
      Weblogic Server versions 10.3.6 and 12.1.1 and later are certified with JDK 7 in order to enable JSSE and TLS 1.1/1.2

Inbound
Dweblogic.security.SSL.protocolVersion=TLS1
The interpretation of this property is different depending on whether the Certicom or JSSE implementation is used.
q For Certicom, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables only TLS 1.0.
q For JSSE, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables any protocol starting with "TLS", for example TLS 1.0, TLS 1.1, and TLS 1.2.
You may also disable older protocols by configuring a higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported by the JDK version), use the following as a JAVA_OPTION:
      -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

Outbound
 To enable it, you need to use the following -D flags :
       -Dhttps.protocols="TLSv1.2“
Or as a list of choices (handshake is first attempted at the highest level protocol):
       -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
You may also disable older protocols by configuring a higher minimum protocol.
      Add -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
You may also have applications running as a client, (e.g. web services, scripts, or command line) for an outbound ssl connection. Within a Fusion Middleware environment there are also internal processes running where an ssl connection is made, (e.g. OPMN, DMS, EM/FMW Control). To control the outbound connections the following system property is available:

       -Djdk.tls.client.protocols=TLSv1.0,TLSv1.1,TLSv1.2

Hope this post has been helpful to you. I have tried answering the two questions I put to start our discussion.
For understanding the changes needed for disabling SSL V2/3 or enabling TLS on Weblogic 12C/JDK8 please refer here

Made the above changes and still not able to connect using TLS 1.2? Do you get the below error ? 

"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"

In case yes please refer to to the solution here.
Please feel free to ask any questions you may have in the comment section. Keep learning and spread the word! 


Soumya

No comments:

Post a Comment