0 Replies Latest reply on Oct 31, 2018 10:21 AM by bobonacus

    Oracle HTTP Server cipher suite won't use listed cipher in the ssl.conf

    bobonacus

      On Windows 2012 server

      Oracle-Application-Server-12c/12.1.2.0.0

      Oracle-HTTP-Server (Win64)

      I have been setting the SSLCipherSuite to many different options from the lists below but it never changes what cipher suite Chrome uses which is always an obsolete cipher!

      This is the Security overview from Chrome f12 The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher).

      I've tried :

      SSLCipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256

      SSLCipherSuite RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5

      SSLCipherSuite RSA_WITH_AES_256_GCM_SHA384 ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 RSA_WITH_AES_256_CBC_SHA256 RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_128_GCM_SHA256 ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_AES_256_CBC_SHA ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA

      and dozens of other options but always get exactly the same message back from Chrome! I've also tried SSLCipherSuite X to make sure that the OHS does not restart and therefore is 100% using this ssl.conf file!

      I've read all these and can't find anything to say I'm not doing it correctly :

      https://docs.oracle.com/middleware/1221/webtier/administer-ohs/directives.htm#HSADM1025

      https://docs.oracle.com/middleware/12212/webtier/administer-ohs/directives.htm#GUID-C76BCA2A-9C28-4D16-9758-9346FBCF7512

      https://serverfault.com/questions/714012/default-cipher-suite-selected-by-server

      https://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm#CHDHCGFG

      Any suggestions on what the issue is and how I can get OHS to use a non obsolete cipher suite!

      I have gone to https://google.com to confirm the browser is capable, client machine is windows 10