How To Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server
(Doc ID 1067411.1)
Last updated on FEBRUARY 14, 2024
Applies to:
Oracle WebLogic Server - Version 8.1 and later Oracle Fusion Middleware - Version 11.1.1.2.0 and later Information in this document applies to any platform.
- This document is applicable to all versions, however newer versions will have newer defaults eliminating the previously used weak and anonymous ciphers.
Goal
This article provides steps on how to disable anonymous and weak SSL cipher suites in Oracle WebLogic Server. Weak can be defined as cipher strength less than 128 bit or those which have been found to be vulnerable to attacks. For example: EXPORT, NULL CIPHER SUITES, RC4, DHE, and 3DES.
You may see various scan reports reporting specific ciphers or generically stating "SSL Server Allows Anonymous Authentication Vulnerability" or "SSL Server Allows Weak Ciphers". You may also see errors from newer securely configured clients rejecting the SSL handshake due to the server's SSL configuration. Errors seen include ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY, ssl_error_weak_server_ephemeral_dh_key, or ssl_error_no_cypher_overlap.
The quick answer is to apply the latest WLS PSU and update the JDK. If on 10.3.6, ensure JSSE is enabled. Follow the Critical Patch Update program and you can see algorithms that have been disabled or schedules to be disabled at https://java.com/en/jre-jdk-cryptoroadmap.html . Note that these can be disabled in the JDK's java.security file, but this will be overwritten upon your next update. Updates to java.security should be considered temporary and not a best practice for WebLogic Server environments. If you have a business requirement to configure specific ciphers - and be responsible to maintain - configure the config.xml, nodemanager.properties and/or use JAVA_OPTIONS, depending on your use case.
Following this should be the first step: Doc ID 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware - For WLS, this will also provide the PSU and JDK updates affecting SSL protocol and cipher usage
There are other considerations with high level steps listed below when using older versions such as 10.3.6:
1. Disable SSLv3 - For various products using WLS, see <Note 1936300.1> How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products 2. Apply the latest WLS PSU - See <Note 1306505.1> Announcing Oracle WebLogic Server PSUs (Patch Set Updates) 3. Enable JSSE on 10.3.6 - See https://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG494 4. Update JDK to latest JDK - Depending on what is certified, but always latest minor version - JDK fixes determines default protocols, ciphers and key strength supported - See <Note 1492980.1> How to Maintain the Java SE Installed or Used with FMW 11g/12c/14c Products 5. Remove weak ciphers you may have manually configured, which may now be a non-recommended value - See explanations in this and <Note 1067411.1> 6. If required, update certificate key strength to greater than 1024 - See <Note 1607170.1> SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher and JRockit R28.3.7 - Update any demo certificates using <Note 2097194.1> Impact of Jan 19, 2016 JDK CPU Updates on SSL/TLS and WLS 10.3.6 Demo Certificates - WLS 10.3.6 w/SSL
The remainder of this document goes into further explanation, more configuration options and resolving known issues...
(Note it is written in an 11g timeframe and updated for newer versions, therefore provides a little history on this topic)
Solution
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!