Task #636

Avatar?id=1733&size=50

Oracle WebLogic SSLV3 and Low Strenght Cipher

Added by Ahmad Hazri almost 14 years ago. Updated almost 14 years ago.

Status:Closed - End of life cycleStart date:November 18, 2010
Priority:NormalDue date:November 22, 2010
Assignee:Avatar?id=1733&size=14Ahmad Hazri % Done:

100%

Category:-Estimated time:3.00 hours
Target version:-Spent time:2.00 hours

Description

Issue:
Tay reported that he enabled the SSLv3 flag in weblogic server

-Dweblogic.security.SSL.protocolVersion=SSL3

But Nessus tool (3rd party) scan, resulted differently, the lower SSL was detected- SSLv2

Nessus_Scan_Report_-_PMO1012050_16_Nov_2010.htm Magnifier (265 KB) Ahmad Hazri , November 19, 2010 11:16

History

#1 Avatar?id=1733&size=24 Updated by Ahmad Hazri almost 14 years ago

Update
While logged to WebLogic Support, ask Tay to sent the Nessus result for analysis.
But base on the Nessus result shows only SSLv3.
Inform this to Tay, then he realized actually this is 2nd scanned attempt to the server.

#2 Avatar?id=1733&size=24 Updated by Ahmad Hazri almost 14 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress
  • % Done changed from 50 to 60

Update
Moving forward, found another issue for SSLv3, Weblogic is using Low Strength Cipher.
Looking solution in WebLogic Support Database;

To specify the list of ciphers that server has to use, follow these steps:

1. Edit the config.xml with the list of ciphers under ssl of a server as below:
      The syntax to use them is :-
      <ciphersuite>string1</ciphersuite>
      <ciphersuite>string2</ciphersuite>
      <ciphersuite>string3</ciphersuite>


   2. Add the following tag also under ssl tab:
      <use-java>true</use-java>

      Example:
      <ssl>
      <use-java>true</use-java>
      <enabled>true</enabled>
      <ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
      <cert-authenticator></cert-authenticator>
      <hostname-verifier xsi:nil="true"></hostname-verifier>
      ..........................
      </ssl>

OR

3. We also can specify -Dweblogic startup argument as below
      "-Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5"
Here is the list of ciphers that weblogic supports and the strength of the same:
http://download.oracle.com/docs/cd/E13222_01/wls/docs100/secintro/concepts.html#wp1123076

#3 Avatar?id=1733&size=24 Updated by Ahmad Hazri almost 14 years ago

  • Status changed from Development / Work In Progress to Pending Customer Feedback

Waiting on Tay to update the status after apply the solution

#4 Avatar?id=1733&size=24 Updated by Ahmad Hazri almost 14 years ago

  • Status changed from Pending Customer Feedback to Closed - End of life cycle
  • % Done changed from 60 to 100

Tay has confirmed the issue has been resolved with solution provided.

Also available in: Atom PDF