Secure Sockets Layer (SSL) provides secure connections by
allowing two applications connecting over a network to authenticate each
other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 12.1/12.2 is an implementation of the
Transport Layer Security (TLS) 1.2 specifications (backward compatible hence
1.0 & 1.1 supported)
JSSE is currently the default SSL implementation in Weblogic
Server. (Certicom deprecated and supported in Weblogic 10.3.6)
So why are we having
Oracle WebLogic Server should configured exclude
SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This
often comes as a direction from security teams. There were configurations
needed to be done on Weblogic 10.3.6 and JDK7 installs to exclude these
So are there any such configurations needed to
be done for Weblogic 12c (12.1 & 12.2) installed with JDK 8? For Weblogic 10.3.6 and JDK 1.7 please refer to my post here.
So what’s the answer?
The answer is NO. Let’s talk in a bit detail
here. I will be talking about both Inbound and Outbound connections.
JDK 8 will use TLS 1.2 as default (No external setting
Supports TLS 1.0/1.1 as well – (backward compatible)
You may also disable older protocols by configuring a
higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if
supported by the JDK version), use the following as a JAVA_OPTION:
The JDK 8 default allows both TLS 1.1 and 1.2 by
You may also set a minimum by removing the older
versions, but it is important to consider the external servers the
application is connecting to
The protocol will always be negotiated to the highest
supported level between the client and server.
Set a minimum by removing the older versions as shown
below (let's say you want to not support TLS 1.0).
So in short if your,Weblogic/JDK versions are
12.2.1/1.8,the default SSL implementation is JSSE and the default TLS version
supported is TLS 1,2.TLS 1.0/1.1 are also supported (since backward
Hence unlike Weblogic 10.3.6/1.7 we need to set
no extra JAVA parameters to disable SSL V2/V3.Use above parameters highlighted in yellow only if you want to restrict certain older TLS versions. The 12C/JDK1.8 install will
support all TLS versions (1.0 to 1.2). The protocol will always be negotiated
to the highest supported level between the client and server.
Please feel free to ask any questions you may
have in the comment section. Keep learning and spread the word!