Details of the SSL POODLE bug can be found here

We can address it in the following way.

1) Disable SSL 3.0 support in the client.

TLS 1

2) Disable SSL 3.0 support in the server.

We can start WebLogic server with the following JVM option

-Dweblogic.security.SSL.protocolVersion=TLS1

Ref :-

http://weblogic-wonders.com/weblogic/2009/12/08/use-specific-ssl-protocol-version-with-weblogic-server/

Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).

You can do it by editing you config.xml

 

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>

Ref:-

http://weblogic-wonders.com/weblogic/2009/12/08/use-specific-ssl-protocol-version-with-weblogic-server/

This article explains the attack in details.

http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

This article provides sample Webservice and Webservice Client for two way SSL. It also demonstrates the use of WLSSSLAdapter class to send certificates to the server.

1. Create a JWS with the following policy  : Wssp1.2-2007-Https-ClientCertReq.xml

 

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@Policy(uri = "policy:Wssp1.2-2007-Https-ClientCertReq.xml")

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2. Build and Deploy the service on WebLogic Server

3. Deploy a war file with the following jsp in another server.

<html>
<head>
<title>WS Client App</title>
</head>
<body bgcolor="#cccccc">
<blockquote>
<h2>Protected Page</h2>
</blockquote>

<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService_Impl"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldPortType"%>

<%@ page import="javax.xml.rpc.Stub"%>
<%@ page import="weblogic.wsee.connection.transport.https.WlsSSLAdapter"%>
<%@ page import="weblogic.security.SSL.TrustManager"%>
<%@ page import="java.security.cert.X509Certificate"%>

<%
 try
 {
    String wsdl = "https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL";
    //SecureHelloWorldService service = new SecureHelloWorldService_Impl(wsdl);
    SecureHelloWorldService service = new SecureHelloWorldService_Impl();
    SecureHelloWorldPortType port = service.getSecureHelloWorldServicePort();

    WlsSSLAdapter adapter = new WlsSSLAdapter();
    adapter.setKeystore("C://WSSecurity//LABS//twoway_jws//identity.jks","mystorepass".toCharArray(), "JKS" );
    adapter.setClientCert("mykey","mykeypass".toCharArray());
    adapter.setTrustManager( new TrustManager(){
                 public boolean certificateCallback(X509Certificate[] chain, int validateErr){
                   return true;
                 }
           }); 

   weblogic.wsee.connection.transport.https.HttpsTransportInfo info = new  weblogic.wsee.connection.transport.https.HttpsTransportInfo(adapter);
   Stub stub = (Stub)port;
   stub._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY,"https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL");
   stub._setProperty("weblogic.wsee.client.ssladapter", adapter);

   out.println(port.sayHello("World"));
 } 
catch (Exception e)
{
out.println("File input error"+e);
}           

%>

</body>
</html>

4. Configure SSL on the server on which client app is deployed.

5. On the server on which the service is deployed , do the 2 way SSL configuration.

a) Go to Home >Summary of Servers > YourServer > SSL > Advanced >
Two Way Client Cert Behavior: Client Certs Requested and Enforced
Hostname Verification: None

b) Go to Home >Summary of Security Realms >myrealm >Providers >DefaultIdentityAsserter

Under Common

Chosen Select X509

Under Provider Specific

Trusted Client Principals: <CN of the client’s certificate>
Default User Name Mapper Attribute Type: CN
Use Default User Name Mapper: Checked

c) Create a user in the security realm with the CN value of the certificate.

6) Import the client’s public certificate in the trust store of the server.