Use specific SSL protocol version with Weblogic Server.

If we want the Weblogic Server to use only a specific protocol version of SSL,we can do it with the command line options below.
-Dweblogic.security.SSL.protocolVersion=SSL3—Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1—Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL—This is the default behavior.

We can test it by using openssl.
I my test I enabled TLS1 and below is the test result when connected with openssl

openssl s_client -connect 10.10.71.79:

543 -tls1
Loading ‘screen’ into random state – done
CONNECTED(00000788)
depth=0 /CN=Fabrizio
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=Fabrizio
verify return:1
—
Certificate chain
0 s:/CN=Fabrizio
i:/CN=Fabrizio
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQDEwhGYWJyaXppbzAe
Fw0wOTA1MTUxNDMyNDlaFw0xOTA1MTMxNDMyNDlaMBMxETAPBgNVBAMTCEZhYnJp
emlvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnRIgweBu10re3Fl2RlCU8
KL2rZE8agEKJZ6rQ+jTaJgDt/KvQvQJGQojusGBQTWc0ZXhsMD6gU1bB8lRjPLyt
QXhqeA35Bs+xgXgrHUXq1UP+yo8Z3/haL02bCDXxIMz0Q2aAmCue2GwB7IPCseZZ
1Rmif7Wlc5/quBEis9G+KQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAC+b0wZ5wMLX
o0eJT3DX/7ICT9mnNKq498xgAemcsjE3FbMG2DYshHuPyh842meN7zWl1gbMd5MX
yDkOlvRIYlK3sAoCyZ4m7qFdgAhAKbiSXlhPOhpUMt8BYd4km6Hn+uqyJmWuj+Wv

QQj/jzJszsFD0Qa7KxuOznHyDITu9r3j
—–END CERTIFICATE—–

subject=/CN=Fabrizio
issuer=/CN=Fabrizio
—
No client certificate CA names sent
—
SSL handshake has read 544 bytes and written 268 bytes
—
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 630E00003F6152564FEFD2A802ACBD561898F759F1B5FF7A7C4E41D264C6F061
Session-ID-ctx:
Master-Key: 51D181CBE700DA9CDAD8EFBBC8340F95F871ABCAB533A5BFACC4EF6F36C6707A
CF26F4CE59BB5DFC005753F1620F7388
Key-Arg : None
Start Time: 1245761507
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)

Weblogic Server accepted connections only over TLS1.

References:-

1. http://download.oracle.com/docs/cd/E13222_01/wls/docs92/secmanage/ssl.html

5 comments

swapna says:

31 March 2010 at 2:50 pm

Hi Sir,-Dweblogic.security.SSL.protocolVersion=ALL will allow TLSv2.0 as well.Is there a way to disable TLSv2.0 and enable SSL3 and TLS1?
Chris says:

8 January 2013 at 3:55 pm

Though this is an old post since it only takes a second to reply…

I think you are better off putting a Web Tier in front of your AppServer then you can use an Apache Directive or the like for other web servers to say SSLProtocol = ALL:-SSL2 syntax and directive name may be wrong but you get the point. Some may say its best to use a white list approach and say SSLProtocol = NONE:+SSL3:+TLS1+TLS1.1+TLS1.2 and so on but it requires more maintenance in this case. Pick you poison.
1. Administrator says:
  
  9 January 2013 at 10:51 am
  
  thanks for your inputs gordon
Philipp says:

26 December 2014 at 2:06 pm

For JSSE enabled on Java 1.7+ you can have -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1 to go against Poodle
1. Administrator says:
  
  29 December 2014 at 8:25 am
  
  thanks for sharing Philipp..

Comments are closed.

Related