How the SSL/TLS Renegotiation Protocol Change Affects Oracle HTTP Server and Oracle WebLogic Server (Doc ID 1301699.1)

Last updated on FEBRUARY 18, 2025

Applies to:

Oracle HTTP Server - Version 10.1.2.3.0 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Oracle WebLogic Server - Version 10.3.1 and later
Information in this document applies to any platform.
Update January 2020 for Oracle HTTP Server: Ensure you are on version 12.2.1.3/12.1.3.0/11.1.1.9 with patches applied or 12.2.1.4 or newer.

See Is it Possible to Disable and Set Oracle HTTP Server "Secure Client-Initiated Renegotiation" to No?

Goal

There is a TLS/SSL protocol change implemented which affects the Oracle HTTP Server and Oracle WebLogic Server processing of HTTPS requests.

SSL/TLS Renegotiation Protocol Change For Oracle Fusion Middleware Products

Oracle HTTP Server and Oracle WebLogic Server provides an implementation of the SSL/TLS protocols used within Oracle Fusion Middleware topologies. One capability of these protocols is the negotiation of many characteristics of the communication between client and server, including ciphers and specific levels of the SSL or TLS protocols. The requirement for a client certificate can also be negotiated. In most cases, this negotiation takes place during the initial handshake.

In certain circumstances, the previously negotiated characteristics of communication may need to change; this procedure is known as renegotiation. The original IETF standard covering the renegotiation protocol had a defect which could be exploited under very limited circumstances. Common Vulnerabilities and Exposures (CVE) numbers are a method to track public vulnerabilities, provided on http://cve.mitre.org/ as CVE-2009-3555. The protocol has been corrected in RFC 5746, and providers of SSL/TLS implementations, including Oracle, are delivering updated SSL/TLS implementations which allow the new renegotiation protocol to be used when both the client and the server implement the new renegotiation protocol.

This document outlines the changes made to the Oracle HTTP Server and Oracle WebLogic Server, including new configuration settings. The primary change has been implemented to secure your system in base releases, patch sets, and through the Critical Patch Update program. It is recommended to ensure your Oracle products are at an expected level to consume these fixes, test your HTTPS connections and ensure it is working as expected.

Critical Patch Updates

Oracle currently delivers the latest Critical Patch Updates on a quarterly basis: January, April, July, and October of each year. You should continually install these updates to secure your installation. Note that all fixes are rolled into the next Patch Set and CPUs are made available on all versions under error correction support. To obtain Critical Patch Updates, Oracle recommends the following as a starting point:
Critical Patch Updates (CPU) and Security Alerts
[ https://www.oracle.com/technetwork/topics/security/alerts-086861.html ]
A Security Advisory documents the vulnerabilities for a CPU release. A Patch Availability Document provides the cumulative patches for each product version. At the time of this reading, it is recommended that you obtain the latest CPU documentation and patches.

The initial CPU associated to CVE-2009-3555 for Oracle Fusion Middleware are within the Patch Availability Documents are as follows:

<Note 1291877.1> Patch Set Update and Critical Patch Update April 2011 Availability Document
<Note 1089046.1> Critical Patch Update July 2010 Patch Availability Document for Oracle BEA Releases
March 30, 2010 Java SE and Java for Business Critical Patch Update
[ https://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html ]

For reference purposes only, search the above for "CVE-2009-3555" for the affected products and associated patches.
When viewing the latest Patch Availability Document for the Oracle HTTP Server, see the section for "Oracle Fusion Middleware" and a reference to the My Oracle Support Doc ID "1301699.1" (this document), as it signifies a patch provided for this reason.