2 Replies Latest reply: Jan 17, 2013 7:58 AM by Rayfi RSS

    Disabling SSL2 in WebLogic 10.3 not working correctly

    808746
      Hey,

      I am trying to disable SSLv2 completely within WebLogic and am using the information contained here (http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html#wp1194346) and have specifically sure I'm using jsafeFIPS.jar and the "-Dweblogic.security.SSL.nojce=true" argument. I want to allow ONLY TLS and SSLv3 communication. Unfortunately, when I attempt to test this setup by forcing my browser to attempt a connection over SSL2 (and any available cipher), WebLogic will still allow me to initiate a connection and exchange certificates. To be clear, that means the packet flow looks like this when I try https://server/:

      ME-SERVER: SYN
      SERVER-ME: SYN,ACK
      ME-SERVER: ACK
      (the stuff above is just the TCP stream initiation)

      ME-SERVER: SSLv2 Client Hello (with my list of ciphers in here of course)
      SERVER-ME: ACK
      SERVER-ME: SSLv2 Server Hello (and it shows 2 cipher specs -- in the SSL2 space, and it provides my certificate)
      ME-SERVER: ACK
      ME-SERVER: SSLv2 Client Master Key (I choose to use one of the ciphers we both have)
      SERVER-ME: ACK

      (the stuff below is the tear down of the TCP stream)
      SERVER-ME: FIN,ACK
      ME-SERVER: ACK
      ME-SERVER: FIN,ACK


      The problem here is that I don't want WebLogic to walk down the path of offering ciphers it knows it will immediately reject. And I'd prefer it not even respond when SSLv2 hellos are offered. I'm lost at this point -- is this something WebLogic can do?
        • 1. Re: Disabling SSL2 in WebLogic 10.3 not working correctly
          808746
          I just wanted to add one more thing here: the functionality on the SSL-based node manager is even worse. Here's how that packet flow appears. The thing to focus on here is that the tear down of the TCP stream is actually initiated by me and not by the server. I'm using a browser to test this, so it looks like the browser is trying to make something happen and then timing out. To be clear, it takes me almost exactly 30 seconds before I tear down my side of this TCP session (probably a timeout).

          ME-SERVER: SYN
          SERVER-ME: SYN,ACK
          ME-SERVER: ACK
          (the stuff above is just the TCP stream initiation)

          ME-SERVER: SSLv2 Client Hello (with my list of ciphers in here of course)
          SERVER-ME: ACK
          SERVER-ME: SSLv2 Server Hello (and it shows 2 cipher specs -- in the SSL2 space, and it provides my certificate)
          ME-SERVER: ACK
          ME-SERVER: SSLv2 Client Master Key (I choose to use one of the ciphers we both have)
          SERVER-ME: ACK

          (the stuff below is the tear down of the TCP stream)
          ME-SERVER: FIN,ACK
          SERVER-ME: ACK
          SERVER-ME: FIN,ACK
          ME-SERVER: ACK
          • 2. Re: Disabling SSL2 in WebLogic 10.3 not working correctly
            Rayfi
            Hi, check following link;
            http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm

            it says ;

            Specifying the Version of the SSL Protocol
            WebLogic Server supports both the SSL V3.0 and TLS V1.0 protocols. When WebLogic Server is acting as an SSL server, the protocol that the client specifies as preferred in its client hello message is used. Note that WebLogic Server does not support SSL V2.0. When WebLogic Server is acting as an SSL client, it specifies TLS1.0 as the preferred protocol in its SSL V2.0 client hello message, but can use SSL V3.0 as well, if that is the highest version that the SSL server on the other end supports. The peer must respond with an SSL V3.0 or TLS V1.0 message or the SSL connection is dropped.