How to check for SSL POODLE / SSLv3 bug on WebLogic? How to fix

Details of the SSL POODLE bug can be found here

We can address it in the following way.

1) Disable SSL 3.0 support in the client.


2) Disable SSL 3.0 support in the server.

We can start WebLogic server with the following JVM option

Ref :-
Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).

You can do it by editing you config.xml


<server-private-key-alias>xxxxxxx </server-private-key-alias>


This article explains the attack in details.


  1. According to My Oracle Support Doc ID 664126.1, you put the parameter in JAVA_OPTIONS_os of the <PS_HOME/webserv/<Domain/bin/ file. After adding this parameter, I bounced the web server but still seem to be getting back a positive SSLv3 message. I then bounced the entire server (for good measure) and still seem to have the same issue. Our 'test' is: openssl s_client -ssl3 -connect . What am I missing?

  2. You can also use this java option for jdk 1.7+

Comments are closed.