Details of the SSL POODLE bug can be found here
We can address it in the following way.
1) Disable SSL 3.0 support in the client.
2) Disable SSL 3.0 support in the server.
We can start WebLogic server with the following JVM option
-Dweblogic.security.SSL.protocolVersion=TLS1
Ref :-
https://weblogic-wonders.com/weblogic/2009/12/08/use-specific-ssl-protocol-version-with-weblogic-server/
Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).
You can do it by editing you config.xml
<ssl> <enabled>true</enabled> <ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite> <ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite> <hostname-verification-ignored>true</hostname-verification-ignored> <listen-port>7002</listen-port> <server-private-key-alias>xxxxxxx </server-private-key-alias> <server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted> </ssl>
Ref:-
https://weblogic-wonders.com/weblogic/2009/12/08/use-specific-ssl-protocol-version-with-weblogic-server/
This article explains the attack in details.
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
According to My Oracle Support Doc ID 664126.1, you put the -Dweblogic.security.SSL.protocolVersion=TLS1 parameter in JAVA_OPTIONS_os of the <PS_HOME/webserv/<Domain/bin/ setEnv.sh file. After adding this parameter, I bounced the web server but still seem to be getting back a positive SSLv3 message. I then bounced the entire server (for good measure) and still seem to have the same issue. Our 'test' is: openssl s_client -ssl3 -connect . What am I missing?
Please raise a ticket with Oracle Support.
Thanks,
Faisal
do changes in setdomainenv
You can also use this java option for jdk 1.7+
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1