How To Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server
(Doc ID 1067411.1)
Last updated on NOVEMBER 07, 2018
Applies to:Oracle WebLogic Server - Version 8.1 and later
Oracle Fusion Middleware - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
- This document is applicable to all versions, however newer versions will have newer defaults eliminating the previously used weak and anonymous ciphers.
This article provides steps on how to disable anonymous and weak SSL cipher suites in Oracle WebLogic Server. Weak can be defined as cipher strength less than 128 bit or those which have been found to be vulnerable to attacks. For example: EXPORT, NULL CIPHER SUITES, RC4, DHE, and 3DES.
You may see various scan reports reporting specific ciphers or generically stating "SSL Server Allows Anonymous Authentication Vulnerability" or "SSL Server Allows Weak Ciphers". You may also see errors from newer securely configured clients rejecting the SSL handshake due to the server's SSL configuration. Errors seen include ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY, ssl_error_weak_server_ephemeral_dh_key, or ssl_error_no_cypher_overlap.
- The quick answer is to apply the latest WLS PSU, update the JDK, and ensure JSSE is enabled. Follow the Critical Patch Update program and you can see algorithms that have been disabled or schedules to be disabled at https://java.com/en/jre-jdk-cryptoroadmap.html . Note that these can be disabled in the JDK's java.security file, but this will be overwritten upon your next update, and should be considered temporary and not a best practice for WebLogic Server environments. If you have a business requirement to configure specific ciphers - configure the config.xml, nodemanager.properties and/or use JAVA_OPTIONS, depending on your use case.
There are other considerations with high level steps listed below:
By following Oracle advice between multiple components this is the combined summary of steps to be performed in unison:
1. Disable SSLv3
- See <Note 1936300.1> How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products
2. Apply latest PSU
- See <Note 1306505.1> Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
3. Enable JSSE on 10.3.6
- See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG494
4. Update JDK to latest Java 6 or 7 (depending on what is certified - this affecting protocols, ciphers and key strength supported)
- See <Note 1492980.1> How to Maintain the Java SE Installed or Used with FMW 11g/12c Products
5. Remove weak ciphers (automatic by updating JDK, if previously manually configured, might now be incorrect)
- See explanations in this Doc ID 1067411.1
6. If required, update certificate key strength to greater than 1024
- See <Note 1607170.1> SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher and JRockit R28.3.7
- Update any demo certificates using <Note 2097194.1> Impact of Jan 19, 2016 JDK CPU Updates on SSL/TLS and WLS 10.3.6 Demo Certificates - WLS 10.3.6 w/SSL
The remainder of this document goes into further explanation, more configuration options and resolving known issues...
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|What Ciphers Will be Used By Default?|
|Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server|
|Manually or Explicitly Configuring Ciphers|
|Certificate Key Strength Greater than 1024|