0

I have an Apache Httpd running as my RPS in front of some Weblogic and Coherence servers. I have the rps configured for ssl, and to deny SSLv3 and SSLv2 requests. So when I got to the specific url (Virtual IP) that houses the multiple servers I am fine.

I have a vulnerability scanner that says the server IP (different from site url) lets in SSLv3, and SSLv2 requests in. But when scanning the VIP for the site it says I am fine because Apache is configured.

My thoughts on this are to set up both Apache and Weblogic for SSL. Would this be a good idea? or am I being more paranoid than I should be?

Suggestions?

Vnge
  • 185
  • 3
  • 12
  • 1
    You can teminate TLS only at one point, IOW you can't have both Apache and WebLogic terminate TLS at the same time. By 'server IP' do you mean the WebLogic server IP? If yes, just disable TLS altogether in WebLogic, as you are not using this TLS endpoint anyway, unless you are using it internally for WLST (as opposed to server HTTP requests), in that case, set it up properly. – dawud Mar 30 '15 at 16:17
  • Well, by server IP i mean the machine it is hosted on. My goal is to use mainly TLS. I currently have it apache configured to terminate SSLv2 and SSLv3, and to accept (I believe) TLSv1 – Vnge Mar 30 '15 at 16:26
  • I think the term 'terminate' does not mean what you think in this context. It means the TLS tunnel exists from the user's browser to the termination endpoint (Apache in your case). You cannot use "mainly" TLS, either you use or not. Are you saying that the Apache server is in the same host as the WebLogic server? – dawud Mar 30 '15 at 16:34
  • oh, yes sorry. Wrong context for terminate. Would like to use TLS. and yes the apache serverr is on the same host as the weblogic. – Vnge Mar 30 '15 at 16:35
  • So what would be a suggestion for my vulnerability scanner finding that SSLv3 and SSLv2 are enabled? – Vnge Mar 30 '15 at 18:06

1 Answers1

1

You can have weblogic use just TLS and termincate SSLv3/2 connections. Check this post "Weblogic Mitigate POODLE vulnerability after upgrade and still use CBC ciphers".

He suggests upgrading java to 7u75 or using -Dweblogic.security.SSL.protocolVersion= Check this page for SSL weblogic, you will find it helpful

http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG499

Community
  • 1
Hououin Kyouma
  • 146
  • 5