SSL Vulnerabilites

SSL Server allows Anonymous Authentication Vulnerability

This basically means that the client will be able to connect to the Server without using any authentication algorithm. Some SSL Ciphers allow anonymous authentication. Choosing the right cipher suites as explained in an earlier post, and disabling null cipher from the admin console can help mitigate this risk.

-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true

SSL Server Allows Clear text Communication Vulnerability

This vulnerability depends upon the cipher suites used, as some cipher suites allow clear text communication. If no cipher suite is specifically mentioned in the config.xml file, then the cipher suites that allow clear text communication are enabled (as well as those that do not allow clear text).

To prevent clear text communications, avoid TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA, as these two cipher suites have 0 Symmetric Key Strength. For a list of allowed cipher suites, see the previous post. The values assigned here will allow 56 as well 128 bit encryption.

TLS Protocol Session Renegotiation Security Vulnerability

The details of the vulnerability can be found here
If u have applied the latest Critical Patch Update, you should b fine.
Find more details here

http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

7 comments

  1. Hi Faisal,
    I have 2 quick questions:
    1. When we enable the administration port in WLS is the communication between two managed servers is in two way SSL fashion?

    2. In a two way SSL communication, will it be fine if we use the same identity i.e. single self-signed certificate for both the servers, provided both the managed servers are on separate physical machine?
    (We don’t want to enable host-name verification in this case)

    Thanks in advance..!!

    Best regards,
    Vinod

    1. Hi Vinod,

      Please find my replies inline

      1. When we enable the administration port in WLS is the communication between two managed servers is in two way SSL fashion?

      NO, unless we do the two way SSL COnfiguration on the severs.

      2. In a two way SSL communication, will it be fine if we use the same identity i.e. single self-signed certificate for both the servers, provided both the managed servers are on separate physical machine?

      In Prod Server, self signed certificates are not recommended. However still if you wish to, you can. You can use the same identity for both the servers, but host name verification will fail on one of them. So u will have to disable hostname verfication on one.

      Hope this answers. If you have any other queries let me knw.

      Thanks for posting.

      -Faisal

  2. hi Faisal,
    we have a requriment to ristrict the cipher suite to set of ciphers. how can we do it in weblogic 10.3 server. can it be done using WLST?

    1. Hi Sudhi,

      You can specify the ciphersuites in the ssl configuration in the config.xml


      true
      TLS_RSA_WITH_RC4_128_SHA
      TLS_RSA_WITH_RC4_128_MD5
      true 7002 xxxxxxx
      xxxxxx

      You can also do it via WLST, but I don’t have a script ready as of now.

      Thanks,
      Faisal

Leave a Reply