SSL Server allows Anonymous Authentication Vulnerability
This basically means that the client will be able to connect to the Server without using any authentication algorithm. Some SSL Ciphers allow anonymous authentication. Choosing the right cipher suites as explained in an earlier post, and disabling null cipher from the admin console can help mitigate this risk.
-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true
SSL Server Allows Clear text Communication Vulnerability
This vulnerability depends upon the cipher suites used, as some cipher suites allow clear text communication. If no cipher suite is specifically mentioned in the config.xml file, then the cipher suites that allow clear text communication are enabled (as well as those that do not allow clear text).
To prevent clear text communications, avoid TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA, as these two cipher suites have 0 Symmetric Key Strength. For a list of allowed cipher suites, see the previous post. The values assigned here will allow 56 as well 128 bit encryption.
TLS Protocol Session Renegotiation Security Vulnerability
The details of the vulnerability can be found here
If u have applied the latest Critical Patch Update, you should b fine.
Find more details here
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
Hi Faisal,
I have 2 quick questions:
1. When we enable the administration port in WLS is the communication between two managed servers is in two way SSL fashion?
2. In a two way SSL communication, will it be fine if we use the same identity i.e. single self-signed certificate for both the servers, provided both the managed servers are on separate physical machine?
(We don’t want to enable host-name verification in this case)
Thanks in advance..!!
Best regards,
Vinod
Hi Vinod,
Please find my replies inline
1. When we enable the administration port in WLS is the communication between two managed servers is in two way SSL fashion?
NO, unless we do the two way SSL COnfiguration on the severs.
2. In a two way SSL communication, will it be fine if we use the same identity i.e. single self-signed certificate for both the servers, provided both the managed servers are on separate physical machine?
In Prod Server, self signed certificates are not recommended. However still if you wish to, you can. You can use the same identity for both the servers, but host name verification will fail on one of them. So u will have to disable hostname verfication on one.
Hope this answers. If you have any other queries let me knw.
Thanks for posting.
-Faisal
Thanks a lot Faisal..!!
This helps a lot..
Best regards,
Vinod
hi Faisal,
we have a requriment to ristrict the cipher suite to set of ciphers. how can we do it in weblogic 10.3 server. can it be done using WLST?
Hi Sudhi,
You can specify the ciphersuites in the ssl configuration in the config.xml
true
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
true
7002
xxxxxxx
xxxxxx
You can also do it via WLST, but I don’t have a script ready as of now.
Thanks,
Faisal
How do I configure cipher suites web-logic please give me way to configure.
You can do it from the config.xml
https://weblogic-wonders.com/weblogic/2009/12/04/how-to-restrict-key-size-larger-that-128-bit-on-weblogic-server/
If you want additional ciphersuites, you need to configure a jce provider.