How to check for SSL POODLE / SSLv3 bug on WebLogic? How to fix

Details of the SSL POODLE bug can be found here

We can address it in the following way.

1) Disable SSL 3.0 support in the client.

TLS 1

2) Disable SSL 3.0 support in the server.

We can start WebLogic server with the following JVM option

-Dweblogic.security.SSL.protocolVersion=TLS1

Ref :-

Use specific SSL protocol version with Weblogic Server.


Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).

You can do it by editing you config.xml

 

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>

Ref:-

Use specific SSL protocol version with Weblogic Server.

This article explains the attack in details.

http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

4 comments

  1. According to My Oracle Support Doc ID 664126.1, you put the -Dweblogic.security.SSL.protocolVersion=TLS1 parameter in JAVA_OPTIONS_os of the <PS_HOME/webserv/<Domain/bin/ setEnv.sh file. After adding this parameter, I bounced the web server but still seem to be getting back a positive SSLv3 message. I then bounced the entire server (for good measure) and still seem to have the same issue. Our 'test' is: openssl s_client -ssl3 -connect . What am I missing?

Leave a Reply