Use specific SSL protocol version with Weblogic Server.

If we want the Weblogic Server to use only a specific protocol version of SSL,we can do it with the command line options below.
-Dweblogic.security.SSL.protocolVersion=SSL3—Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1—Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL—This is the default behavior.

We can test it by using openssl.
I my test I enabled TLS1 and below is the test result when connected with openssl

openssl s_client -connect 10.10.71.79:

543 -tls1
Loading ‘screen’ into random state – done
CONNECTED(00000788)
depth=0 /CN=Fabrizio
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=Fabrizio
verify return:1

Certificate chain
0 s:/CN=Fabrizio
i:/CN=Fabrizio

Server certificate
—–BEGIN CERTIFICATE—–
MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQDEwhGYWJyaXppbzAe
Fw0wOTA1MTUxNDMyNDlaFw0xOTA1MTMxNDMyNDlaMBMxETAPBgNVBAMTCEZhYnJp
emlvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnRIgweBu10re3Fl2RlCU8
KL2rZE8agEKJZ6rQ+jTaJgDt/KvQvQJGQojusGBQTWc0ZXhsMD6gU1bB8lRjPLyt
QXhqeA35Bs+xgXgrHUXq1UP+yo8Z3/haL02bCDXxIMz0Q2aAmCue2GwB7IPCseZZ
1Rmif7Wlc5/quBEis9G+KQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAC+b0wZ5wMLX
o0eJT3DX/7ICT9mnNKq498xgAemcsjE3FbMG2DYshHuPyh842meN7zWl1gbMd5MX
yDkOlvRIYlK3sAoCyZ4m7qFdgAhAKbiSXlhPOhpUMt8BYd4km6Hn+uqyJmWuj+Wv

QQj/jzJszsFD0Qa7KxuOznHyDITu9r3j
—–END CERTIFICATE—–

subject=/CN=Fabrizio
issuer=/CN=Fabrizio

No client certificate CA names sent

SSL handshake has read 544 bytes and written 268 bytes

New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 630E00003F6152564FEFD2A802ACBD561898F759F1B5FF7A7C4E41D264C6F061
Session-ID-ctx:
Master-Key: 51D181CBE700DA9CDAD8EFBBC8340F95F871ABCAB533A5BFACC4EF6F36C6707A
CF26F4CE59BB5DFC005753F1620F7388
Key-Arg : None
Start Time: 1245761507
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)

Weblogic Server accepted connections only over TLS1.

References:-

1. http://download.oracle.com/docs/cd/E13222_01/wls/docs92/secmanage/ssl.html

5 comments

  1. Hi Sir,

    -Dweblogic.security.SSL.protocolVersion=ALL will allow TLSv2.0 as well.

    Is there a way to disable TLSv2.0 and enable SSL3 and TLS1?

  2. Though this is an old post since it only takes a second to reply…

    I think you are better off putting a Web Tier in front of your AppServer then you can use an Apache Directive or the like for other web servers to say SSLProtocol = ALL:-SSL2 syntax and directive name may be wrong but you get the point. Some may say its best to use a white list approach and say SSLProtocol = NONE:+SSL3:+TLS1+TLS1.1+TLS1.2 and so on but it requires more maintenance in this case. Pick you poison.

Leave a Reply