1

Our Enterprise is using Oracle Application Server in front of Oracle database. We are using Oracle wallet manager(Installed with Oracle client 10) to create self-signed certificates. As you may know wallet manager in v 10 has some limitation in key size(I don't know exactly the limitation and i hope you could help me on it ).

When we want to issue a certificate at first we create a certificate request with wallet manager and then issue based on certificate in Windows server CA.

Now I have some questions:

1- What exactly indicates the ssl/tls version? I mean the web server, client or the certificate? is it possible the web server supports the tls v1.0 but the certificate doesn't?

2- What are the limitations of using wallet manager in V10 to issue the self-signed certificate?

3- Is there another way to create a self-signed certificate without wallet manager V10?(when I try the newest versions oracle application failed to open a certificate)

4- and my most important question: Can i stop POODLE attack in oracle application? (I read somewhere that the POODLE vulnerability doesn't apply in TLSV1. so I guess its better to ask my question this way: does Oracle application server support the TLSV1? )

I really appreciate any sort of help. thank you.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
user3351747
  • 11
  • 1

2 Answers2

2

1- What exactly indicates the ssl/tls version? I mean the web server, client or the certificate? is it possible the web server supports the tls v1.0 but the certificate doesn't?

The certificate has nothing to do with the TLS version negotiated. For a brief explanation, to establish a TLS connection the client and server undergoes a handshake process to negotiate various things that will be used such as the TLS version and the cipher suite. The client informs the server about the maximum TLS version it supports as well as the list of cipher suites it prefers. The server then decides.

4- and my most important question: Can i stop POODLE attack in oracle application? (I read somewhere that the POODLE vulnerability doesn't apply in TLSV1. so I guess its better to ask my question this way: does Oracle application server support the TLSV1? )

The POODLE attack only applies to SSL 3.0 connections using CBC cipher suites. Anything using TLS 1.0 and up should be safe. There have been reports that some TLS 1.0 implementations are affected due to misimplementing the specification but I do not believe Oracle's products are amongst them.

  • There's no linkage between protocol and cert, but there may be *correlation*. TLSv1.1 and especially TLSv1.2 implementations tend to be *recent*, and recent implementations tend to reject RSA-512 or MD5 certs and likely soon RSA-1024 or SHA1, as well as more strictly enforcing some cert extensions. – dave_thompson_085 Dec 28 '14 at 14:40
0

Worrying about POODLE when using self-signed certificates is like going to work without pants on and then worrying that your socks don't match.

POODLE is a very real vulnerability but it is very difficult to exploit. Using a self-signed certificate largely (mostly) defeats the purpose of using ssl/tls.

same goes for worrying about key size limitations.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • 1
    Using a šlf signed cert does not defeat the purpose of ssl/tls, it simply means that the signing authority and the server it authenticates is the same server. The main problem is that because a signing authority isn't included most browsers/apps consider them invalid and throw errors – Jim B Dec 27 '14 at 00:59
  • Im not expert in this. but i agree with jim. – user3351747 Dec 27 '14 at 17:59