0

We replaced a self-signed certificate JKS with a signed certificate in WebLogic 12.2.1.3.0.

The C# desktop applications that connect to a service hosted there now fail with "The request was aborted: Could not create SSL/TLS secure channel". That can be fixed on the client with ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; for .NET 4.5 or ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; for .NET 4.0.

The two certificates both use SHA256withRSA and a 2048-bit RSA key.

Why did replacing the certificate require the updating the client applications to use TLS1.2? Also, is there a way to fix this on the WebLogic side so that we do not have to deploy a new version of the client to our users?

Update: The old certificate info does not include anything with KeyUsage. The new one has:

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

The Root certificates also have:

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
Jamie Mellway
  • 3
  • 2
  • Are there any differences between the `keyUsage` and `extendedKeyUsage` extensions on the two certs? – garethTheRed May 29 '20 at 15:56
  • garethTheRed Yes. Updated question. – Jamie Mellway May 29 '20 at 16:54
  • Can you get a replacement certificate with different `keyUsage` and `extendedKeyUsage`? If so, it might be worth experimenting with different combinations. There is an [answer on SE](https://stackoverflow.com/a/46203463/1925616) to a similar question although you should not use the `keyUsage` that worked in that answer! – garethTheRed May 29 '20 at 20:22
  • Certificates and Ciphers/Protocols have really nothing to do with each other. TLSv1.2 requirement is probably more due to Java version you are using than anything else, assuming you are also using a recent version of 1.8. I would try adjusting `weblogic.security.SSL.minimumProtocolVersion` if you want other minimum protocol version. Make sure there have been no recent java updates. – ezra-s Aug 19 '20 at 20:28

0 Answers0