Task #636
Oracle WebLogic SSLV3 and Low Strenght Cipher
Status: | Closed - End of life cycle | Start date: | November 18, 2010 | |
---|---|---|---|---|
Priority: | Normal | Due date: | November 22, 2010 | |
Assignee: | Ahmad Hazri | % Done: | 100% | |
Category: | - | Estimated time: | 3.00 hours | |
Target version: | - | Spent time: | 2.00 hours |
Description
Issue:
Tay reported that he enabled the SSLv3 flag in weblogic server
-Dweblogic.security.SSL.protocolVersion=SSL3
But Nessus tool (3rd party) scan, resulted differently, the lower SSL was detected- SSLv2
History
#1 Updated by Ahmad Hazri almost 14 years ago
Update
While logged to WebLogic Support, ask Tay to sent the Nessus result for analysis.
But base on the Nessus result shows only SSLv3.
Inform this to Tay, then he realized actually this is 2nd scanned attempt to the server.
#2 Updated by Ahmad Hazri almost 14 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- % Done changed from 50 to 60
Update
Moving forward, found another issue for SSLv3, Weblogic is using Low Strength Cipher.
Looking solution in WebLogic Support Database;
To specify the list of ciphers that server has to use, follow these steps:
1. Edit the config.xml with the list of ciphers under ssl of a server as below:
The syntax to use them is :-
<ciphersuite>string1</ciphersuite>
<ciphersuite>string2</ciphersuite>
<ciphersuite>string3</ciphersuite>
2. Add the following tag also under ssl tab:
<use-java>true</use-java>
Example: <ssl> <use-java>true</use-java> <enabled>true</enabled> <ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite> <ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite> <cert-authenticator></cert-authenticator> <hostname-verifier xsi:nil="true"></hostname-verifier> .......................... </ssl>
OR
3. We also can specify -Dweblogic startup argument as below
"-Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5"Here is the list of ciphers that weblogic supports and the strength of the same:
http://download.oracle.com/docs/cd/E13222_01/wls/docs100/secintro/concepts.html#wp1123076
#3 Updated by Ahmad Hazri almost 14 years ago
- Status changed from Development / Work In Progress to Pending Customer Feedback
Waiting on Tay to update the status after apply the solution
#4 Updated by Ahmad Hazri almost 14 years ago
- Status changed from Pending Customer Feedback to Closed - End of life cycle
- % Done changed from 60 to 100
Tay has confirmed the issue has been resolved with solution provided.