This discussion is archived
2 Replies Latest reply: Jan 17, 2013 5:58 AM by 670319 RSS

Disabling SSL2 in WebLogic 10.3 not working correctly

808746 Newbie
Currently Being Moderated
Hey,

I am trying to disable SSLv2 completely within WebLogic and am using the information contained here (http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html#wp1194346) and have specifically sure I'm using jsafeFIPS.jar and the "-Dweblogic.security.SSL.nojce=true" argument. I want to allow ONLY TLS and SSLv3 communication. Unfortunately, when I attempt to test this setup by forcing my browser to attempt a connection over SSL2 (and any available cipher), WebLogic will still allow me to initiate a connection and exchange certificates. To be clear, that means the packet flow looks like this when I try https://server/:

ME-SERVER: SYN
SERVER-ME: SYN,ACK
ME-SERVER: ACK
(the stuff above is just the TCP stream initiation)

ME-SERVER: SSLv2 Client Hello (with my list of ciphers in here of course)
SERVER-ME: ACK
SERVER-ME: SSLv2 Server Hello (and it shows 2 cipher specs -- in the SSL2 space, and it provides my certificate)
ME-SERVER: ACK
ME-SERVER: SSLv2 Client Master Key (I choose to use one of the ciphers we both have)
SERVER-ME: ACK

(the stuff below is the tear down of the TCP stream)
SERVER-ME: FIN,ACK
ME-SERVER: ACK
ME-SERVER: FIN,ACK


The problem here is that I don't want WebLogic to walk down the path of offering ciphers it knows it will immediately reject. And I'd prefer it not even respond when SSLv2 hellos are offered. I'm lost at this point -- is this something WebLogic can do?
  • 1. Re: Disabling SSL2 in WebLogic 10.3 not working correctly
    808746 Newbie
    Currently Being Moderated
    I just wanted to add one more thing here: the functionality on the SSL-based node manager is even worse. Here's how that packet flow appears. The thing to focus on here is that the tear down of the TCP stream is actually initiated by me and not by the server. I'm using a browser to test this, so it looks like the browser is trying to make something happen and then timing out. To be clear, it takes me almost exactly 30 seconds before I tear down my side of this TCP session (probably a timeout).

    ME-SERVER: SYN
    SERVER-ME: SYN,ACK
    ME-SERVER: ACK
    (the stuff above is just the TCP stream initiation)

    ME-SERVER: SSLv2 Client Hello (with my list of ciphers in here of course)
    SERVER-ME: ACK
    SERVER-ME: SSLv2 Server Hello (and it shows 2 cipher specs -- in the SSL2 space, and it provides my certificate)
    ME-SERVER: ACK
    ME-SERVER: SSLv2 Client Master Key (I choose to use one of the ciphers we both have)
    SERVER-ME: ACK

    (the stuff below is the tear down of the TCP stream)
    ME-SERVER: FIN,ACK
    SERVER-ME: ACK
    SERVER-ME: FIN,ACK
    ME-SERVER: ACK
  • 2. Re: Disabling SSL2 in WebLogic 10.3 not working correctly
    670319 Newbie
    Currently Being Moderated
    Hi, check following link;
    http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm

    it says ;

    Specifying the Version of the SSL Protocol
    WebLogic Server supports both the SSL V3.0 and TLS V1.0 protocols. When WebLogic Server is acting as an SSL server, the protocol that the client specifies as preferred in its client hello message is used. Note that WebLogic Server does not support SSL V2.0. When WebLogic Server is acting as an SSL client, it specifies TLS1.0 as the preferred protocol in its SSL V2.0 client hello message, but can use SSL V3.0 as well, if that is the highest version that the SSL server on the other end supports. The peer must respond with an SSL V3.0 or TLS V1.0 message or the SSL connection is dropped.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points