My Oracle Support Banner

How To Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server (Doc ID 1067411.1)

Last updated on FEBRUARY 14, 2024

Applies to:

Oracle WebLogic Server - Version 8.1 and later
Oracle Fusion Middleware - Version 11.1.1.2.0 and later
Information in this document applies to any platform.
- This document is applicable to all versions, however newer versions will have newer defaults eliminating the previously used weak and anonymous ciphers.





Goal

This article provides steps on how to disable anonymous and weak SSL cipher suites in Oracle WebLogic Server. Weak can be defined as cipher strength less than 128 bit or those which have been found to be vulnerable to attacks. For example: EXPORT, NULL CIPHER SUITES, RC4, DHE, and 3DES.

You may see various scan reports reporting specific ciphers or generically stating "SSL Server Allows Anonymous Authentication Vulnerability" or "SSL Server Allows Weak Ciphers". You may also see errors from newer securely configured clients rejecting the SSL handshake due to the server's SSL configuration. Errors seen include ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY, ssl_error_weak_server_ephemeral_dh_key, or ssl_error_no_cypher_overlap.

1. Disable SSLv3
    - For various products using WLS, see <Note 1936300.1> How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products
2. Apply the latest WLS PSU
    - See <Note 1306505.1> Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
3. Enable JSSE on 10.3.6
    - See https://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG494
4. Update JDK to latest JDK
    - Depending on what is certified, but always latest minor version
    - JDK fixes determines default protocols, ciphers and key strength supported
    - See <Note 1492980.1> How to Maintain the Java SE Installed or Used with FMW 11g/12c/14c Products
5. Remove weak ciphers you may have manually configured, which may now be a non-recommended value
    - See explanations in this and <Note 1067411.1>
6. If required, update certificate key strength to greater than 1024
    - See <Note 1607170.1> SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher and JRockit R28.3.7
    - Update any demo certificates using <Note 2097194.1> Impact of Jan 19, 2016 JDK CPU Updates on SSL/TLS and WLS 10.3.6 Demo Certificates - WLS 10.3.6 w/SSL

The remainder of this document goes into further explanation, more configuration options and resolving known issues... 

(Note it is written in an 11g timeframe and updated for newer versions, therefore provides a little history on this topic)

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
 What Ciphers Will be Used By Default?
 Compatibility Warning
 Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server
 Manually or Explicitly Configuring Ciphers
 Certificate Key Strength Greater than 1024
 SHA-256
 Node Manager
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.