Is SSLHonorCipherOrder and TLS 1.1/1.2 Supported for Oracle HTTP Server (Doc ID 1485047.1)

Last updated on MAY 03, 2024

Applies to:

Oracle HTTP Server - Version 10.1.2.0.2 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Web Cache - Version 10.1.2.0.2 and later
Information in this document applies to any platform.

Goal

Overview

This document covers two issues because the question is about the support of SSLHonorCipherOrder and/or TLS 1.1 and 1.2. It is a popular request to check/configure these at the same time. SSLHonorCipherOrder requires newer protocols and OHS versions 11.1.1.7 and earlier only support up to TLS 1.0. Overall, it is recommended to be on a supported version with Critically Patch Updates applied. Newer industry standards are implemented on newer OHS versions. This document outlines the history during a transitional period when the industry changed to newer SSL protocols and ciphers.

SSLHonorCipherOrder

As a security best practice, an administrator can choose to only allow newer/stronger SSL protocols and ciphers with the SSLProtocol and SSLCipherSuite directives. When choosing a cipher during an SSL handshake, normally the client's preference is used. If an SSLHonorCipherOrder directive is enabled, the server's preference will be used instead, allowing an administrator even more control over security. SSLHonorCipherOrder is an Apache directive which allows more control to an administrator. The directive is available in Apache 2.1 and later, (if using OpenSSL 0.9.7 or later), as provided at the apache.org web site:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder

When configuring this in the Oracle HTTP Server ssl.conf file, the Oracle HTTP Server fails to start saying it is not a valid directive.

Since Oracle HTTP Server is based on Apache 2.2, is it possible to configure SSLHonorCipherOrder directive within the Oracle HTTP Server?
(Answer is NO, but see explanation below)

Update: SSLHonorCipherOrder is now supported in OHS 12.2.1

G.3.6 SSLHonorCipherOrder Directive
http://docs.oracle.com/middleware/1221/webtier/administer-ohs/directives.htm#HSADM1344

TLS 1.1 and TLS 1.2

SSLHonorCipherOrder directive is more desirable when the older SSL 3.0 or TLS 1.0 protocols are used. Many administrators prefer to configure TLS 1.1 and 1.2.

If SSLHonorCipherOrder is not supported, will there be support for the newer TLS 1.1 or TLS 1.2 protocols with the Oracle HTTP Server?
(Answer is NO for 10g and 11g, but YES in 12c, see explanation below)
Update #1: See also: <Note 1936300.1> How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products
Update #2: OHS 11.1.1.9 now supports TLS 1.1 and 1.2, See New Protocols and Ciphers for the Current Release and <Note 2003468.1> for 11.1.1.9 announcement highlights. Note that not all installed FMW homes can have 11.1.1.9 Patch Set applied to obtain new TLS 1.1 and 1.2 protocols. See <Note 2041410.1> , "Support Status of New SSL Features Released with Oracle HTTP Server and Oracle Web Cache 11.1.1.9"