7 Replies Latest reply: Mar 20, 2009 11:50 AM by Lalitk RSS

    How to Disable SSLv2 in Oracle IAS 10.1.3

    Lalitk
      How to disable SSLV2 in Oracle IAS 10.1.3.. I added below in ssl.conf file.. But it is not working...

      SSLProtocol -ALL SSLv3 TLSv1
      SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

      Thanks
      Lalitha
        • 1. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
          Roberto Barrera
          From metalink note 460824.1.

          1. Open the ssl.conf file and add the following ,
          SSLProtocol ALL -SSLv2

          after the line
          SSLSessionCacheTimeout 300

          2. For 10.1.2.x and 10.1.4.x, update the DCM repository to save the changes (In 10.1.3, this step is not needed)
          $ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs

          3. Stop and Start the HTTP Server (restarting does not re-read the configuration)
          $ORACLE_HOME/opmn/bin/opmnctl stopproc ias-component=HTTP_Server
          $ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=HTTP_Server

          4. To reconfigure browsers, do the following (modify this based on which protocol is being removed):

          a. In Firefox, choose Tools -> Options -> Advanced -> Encryption Tab

          Select "Use SSL 3.0" and "Use TLS 1.0"

          b. In Internet Explorer, choose Tools -> Options

          Scroll to Security and Uncheck "Use SSL 2.0" and check "Use SSL 3.0" and "Use TLS 1.0"


          Regards.
          • 2. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
            Lalitk
            Hi Roberto,

            sorry after long time, coming back to probelm again. I made these changs. now I have new problem.
            http-> both sslv2 checked or unchecked on client side my application works
            https-> sslv2 checked application works but, sslv2 unchecked application won't work on client desktop

            But we need https working...
            Thanks, L
            • 3. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
              Roberto Barrera
              Can you see if there is any log on apache about this behavior?.

              REgards.
              • 4. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
                Lalitk
                when
                I use https I get this line in access_log and stops and application won't work
                https: https://xxxxxxx.xxxx.xxx/forms/frmservlet?config=OFDAU_
                xx.xxx.xxx.xx - - [19/Mar/2009:16:02:16 -0400] "GET /forms/frmservlet?config=OFDAU HTTP/1.1" 200 7591

                but when i use http, my access_log has like below and keep going then my application works fine..
                http: http://xxxxxxx.xxxx.xxx/forms/frmservlet?config=OFDAU_
                xx.xxx.xxx.xx - - [19/Mar/2009:16:02:59 -0400] "GET /forms/java/forms_ie.js HTTP/1.1" 304 -
                xx.xxx.xxx.xx- - [19/Mar/2009:16:02:59 -0400] "GET /forms/java/frmall.jar HTTP/1.1" 200 1908233
                xx.xxx.xxx.xx - - [19/Mar/2009:16:02:59 -0400] "GET /forms/java/frmwebutil.jar HTTP/1.1" 200 290953
                xx.xxx.xxx.xx- - [19/Mar/2009:16:02:59 -0400] "GET /forms/yes HTTP/1.1" 404 328
                xx.xxx.xxx.xx - - [19/Mar/2009:16:02:59 -0400] "GET /forms/java/oracle/forms/registry/Registry.dat HTTP/1.1" 304 -
                xx.xxx.xxx.xx - - [19/Mar/2009:16:02:59 -0400] "GET /forms/java/oracle/forms/registry/default.dat HT
                ...



                Otherthan that , any thing else I can check....
                • 5. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
                  Lalitk
                  okay i found
                  in webcache/logs/event_log

                  [19/Mar/2009:16:35:42 -0400] [warning 11904] [ecid: 94668749321,0] SSL handshake fails NZE-29048
                  [19/Mar/2009:16:35:42 -0400] [error 11321] [ecid: 94668749321,0] Connection from browser cannot be established.

                  access_log:
                  127.0.0.1 - - [19/Mar/2009:16:42:52 -0400] "GET /_oracle_http_server_webcache_static_.html HTTP/1.1" 200 99 "94669189121,0"
                  xx.xxx.xxx.xx - - [19/Mar/2009:16:43:06 -0400] "GET /forms/frmservlet?config=OFDAU HTTP/1.1" 200 7591 "94669203610,0"
                  xx.xxx.xxx.xx - - [19/Mar/2009:16:43:06 -0400] "GET /forms/java/forms_ie.js HTTP/1.1" 304 0 "94669203769,0"
                  127.0.0.1 - - [19/Mar/2009:16:43:12 -0400] "GET /_oracle_http_server_webcache_static_.html HTTP/1.1" 200 99 "94669209604,0"

                  Edited by: Lalitk on Mar 19, 2009 1:55 PM
                  • 6. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
                    Roberto Barrera
                    How can you have WebCache if you are using 10.1.3 version?

                    The cause of this problem has been identified and verified in an unpublished Bug 4761833 : "IE FAILS TO TO CONNECT TO WEBCACHE VIA SSL IF SSLV2.0 IS NOT SELECTED".

                    By default Webcache sets its SSL_ENABLED parameter in webcache.xml to: SSLV3_V2H
                    This supports only SSL V2.0 and SSLV3.0 and not TLSV1.0

                    When IE makes a connection with: SSL V2.0, SSLV3.0, TLSV1.0 all checked, an Ethereal sniff shows:
                    SSLV2 Client Hello
                    SSLV3 Server Hello

                    When IE makes a connection with: SSLV3.0, TLSV1.0 checked, SSL v2.0 unchecked, an Ethereal sniff shows:
                    TLSV1 Client Hello
                    SSLV3 Alert (Level: Fatal, Description: Unexpected Message)

                    When Firefox makes a connection with SSLV3.0, TLSV1.0 checked, SSL v2.0 unchecked an Ethereal
                    sniff shows:
                    SSLV2 Client Hello
                    SSLV3 Server Hello

                    So even though SSLV2.0 is unchecked it still makes the initial Client Hello via SSLV2.0 hence why Mozilla works

                    The reason why IE fails when SSLV2.0 is unchecked is because IE always uses what it considers to be the best Protocol and picks TLSV1.0, and as the default SSL_ENABLED parameter in Webcache does not support TLS V1.0, then it fails.


                    Solution
                    To implement the solution, execute the following steps:

                    1. Edit the $ORACLE_HOME/webcache/webcache.xml
                    For the SSL Listen entry e.g:
                    <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSLV3_V2H" PORTTYPE="NORM">
                    Change:
                    "SSLV3_V2H"
                    to
                    "SSL"

                    2. Save the file and restart webcache, and then test you can access Webcache via SSL with SSLV2.0 unchecked

                    Hope this helps

                    Regards.
                    • 7. Re: How to Disable SSLv2 in Oracle IAS 10.1.3
                      Lalitk
                      After doing these two it works now.

                      1. Webcache.xml
                      < <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSL" PORTTYPE="NORM">
                      ---
                      # <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSLV3" PORTTYPE="NORM">
                      # <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSLV3_V2H" PORTTYPE="NORM">
                      2. http.conf
                      <IfModule mod_ossl.c>
                      # SSLOptions +StdEnvVars
                      SSLOptions ExportCertData StdEnvVars
                      </IfModule>

                      Thanks
                      Lalitha

                      Edited by: Lalitk on Mar 20, 2009 9:47 AM