3

I recently upgraded my Weblogic server to 10.3.6 with java 7. So with that I have TLS1.0 - TLS 1.2 enabled via the setEnv.sh. Some of the ciphers I am using to make sure that they are compatible (supported by Weblogic, FF37, Chrome 44, etc) are as follows:

<ciphersuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA256</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</ciphersuite><ciphersuite>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>

This is in config.xml under the ssl tag. I do have JSSE enabled as well to make sure I can get a TLS1.2 connection.

The supported cipherlist for Weblogic 10.3.6 found here

One issue that I see with SSL Labs is that with these ciphers, I am still possibly vulnerable to POODLE.

An Nmap scan gave me this for what the ciphers are:

| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

Before TLS1.1 and TLS1.2 were enabled in setEnv.sh, I did not have this issue, so I am unsure why adding them changed what happened. Now my question is how do I make sure that I have SSL3 disabled but still able to use some of the CBC ciphers? or have the support I need?

EDIT: I know that CBC ciphers are a no bueno kinda thing... I am open for suggestions for ciphers support TLS1.0+ and for a browser as low as IE 8.

Vnge
  • 185
  • 3
  • 12

2 Answers2

0

Just make sure that you use a higher version of Java than 7u75 (it disables them by default) then I think enabling TLS1.0 only can cause the downgrade for SSLv3 then you could use -Dweblogic.security.SSL.protocolVersion=TLS1 and TLS1.1. You should have disabled CBC a long time ago https://community.qualys.com/thread/9974. So you might have conflicting requirements.

Alex H
  • 1,814
  • 11
  • 18
  • Okay, that would make sense. Would you have a suggestion for ciphers to support TLS 1.0+ for Weblogic? – Vnge Apr 22 '15 at 15:19
  • Assuming that you have most of the clients on Windows you can just pick them from here https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx . Make sure that whatever you chose it is supported by your client computers. – Alex H Apr 22 '15 at 15:34
  • So if CBC is not that great, why are there a large bunch of ciphers using it? – Vnge Apr 22 '15 at 15:35
  • That article is for Windows,an list of available options, and it has been made some time ago. Meanwhile some vulnerabilities have appeared :) – Alex H Apr 22 '15 at 15:37
  • Ah yes, gotcha. – Vnge Apr 22 '15 at 15:37
  • To be clear, 7u75 inclusive and up (also 8u25+) disables SSLv3 by default to block POODLE; one thing is 'it' not 'them'. Also for TLSv1.0 and 1.1, and 1.2 in Java7, excluding CBC leaves only RC4, which is thought much closer to broken and was officially removed from TLS https://tools.ietf.org/html/rfc7465 . Even in Java8 the better solution of TLSv1.2 with AES GCM only works when supported by the client(s). – dave_thompson_085 Dec 06 '15 at 04:54
  • >Just make sure that you use a higher version of Java than 7u75 (it disables them by default) then I think enabling TLS1.0 – Net Runner May 04 '17 at 13:44
  • That's exactly what I said in my answer – Alex H May 04 '17 at 15:12
0

This is late to answer now, but can be used as future reference, if you are using Weblogic 10.3.6, which is compatible with JDK7. Recently Oracle released JDK 7u131 version which is supporting TLS1.1 and TLS1.2 by default. So you can upgrade JDK to 7u131.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
Arya
  • 16
  • 3