Saturday, July 29, 2017

TLS Support on Weblogic 12C & JDK8

SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 12.1/12.2 is an implementation of the Transport Layer Security (TLS) 1.2 specifications (backward compatible hence 1.0 & 1.1 supported)
JSSE is currently the default SSL implementation in Weblogic Server. (Certicom deprecated and supported in Weblogic 10.3.6)

So why are we having this discussion?
Oracle WebLogic Server should configured exclude SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This often comes as a direction from security teams. There were configurations needed to be done on Weblogic 10.3.6 and JDK7 installs to exclude these protocols. 
So are there any such configurations needed to be done for Weblogic 12c (12.1 & 12.2) installed with JDK 8? For Weblogic 10.3.6 and JDK 1.7 please refer to my post here.

So what’s the answer?

The answer is NO. Let’s talk in a bit detail here. I will be talking about both Inbound and Outbound connections.

  • JDK 8 will use TLS 1.2 as default (No external setting needed) 
  • Supports TLS 1.0/1.1 as well – (backward compatible)
  • You may also disable older protocols by configuring a higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported by the JDK version), use the following as a JAVA_OPTION: 
  • The JDK 8 default allows both TLS 1.1 and 1.2 by default. 
  • You may also set a minimum by removing the older versions, but it is important to consider the external servers the application is connecting to
  • The protocol will always be negotiated to the highest supported level between the client and server.
  • Set a minimum by removing the older versions as shown below (let's say you want to not support TLS 1.0).
So in short if your,Weblogic/JDK versions are 12.2.1/1.8,the default SSL implementation is JSSE and the default TLS version supported is TLS 1,2.TLS 1.0/1.1 are also supported (since backward compatible). 
Hence unlike Weblogic 10.3.6/1.7 we need to set no extra JAVA parameters to disable SSL V2/V3.Use above parameters highlighted in yellow only if you want to restrict certain older TLS versions. The 12C/JDK1.8 install will support all TLS versions (1.0 to 1.2). The protocol will always be negotiated to the highest supported level between the client and server.

Please feel free to ask any questions you may have in the comment section. Keep learning and spread the word! 



  1. BlueHost is definitely the best web-hosting provider for any hosting plans you need.

  2. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
    right away...

    (VIDEO) Get your ex back with TEXT messages?

  3. For SOA, We are having TLS 1.0 version installed at the load balancer level, and We are upgrading it to TLS 1.2. Do we need to implement any pre-requisites before turning off TLS 1.0 and using TLS 1.2 for SOA environment so it won’t affect any application functionality

    Product Version
    JDK : java version "1.7.0_151"
    WLS : WebLogic Server Version:
    SOA : SOA

    1. Hi Ashish,

      Did you get any answer? I'm having the exact same configuration as you and would like to know if I had to do anything before blocking TLSv1.0 on the loadbalancer.

      Harihara V

  4. This comment has been removed by the author.

  5. Hey Really Thanks for sharing the best information regarding Technology,hope you will write more great blogs.

    oracle fusion scm online training

  6. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well.

    Oracle Fusion Financials Online Training

  7. Hi Soumya,

    Where i put the yellow highlighted code?
    Is it ok with startWeblogic.cmd java_option or any where else.
    Please suggest me..


  8. Great ! Excellent content to refer.

  9. Hi Soumya,

    For inbound connections is when server accepting the requests

    for outbound connections server is when sending the requests --

    can you please confirm if we apply parameter of inbound connections when we apply will server accept and request TLSv1.1 correct. can you please clarify on this..