How to Change SSL Protocols (to Disable SSL 2.0/3.0) in Oracle Fusion Middleware Products
(Doc ID 1936300.1)
Last updated on APRIL 27, 2023
Applies to:
Oracle HTTP Server - Version 10.1.2.0.2 and laterWeb Cache - Version 10.1.2.0.2 and later
Oracle Containers for J2EE - Version 10.1.2.0.2 and later
Oracle WebLogic Server - Version 10.3.1 and later
Oracle Fusion Middleware - Version 10.1.2.0.2 and later
Information in this document applies to any platform.
Goal
How to Change SSL Protocols in Oracle Fusion Middleware Products
This document provides links to documents and other important clarifications regarding the SSL protocol configurable with Oracle Fusion Middleware products as linked in the table of contents. You should take steps to disable older SSL protocols such as SSL 3.0 and SSL 2.0 (aka SSLv3 and SSLv2) on both servers and clients (browser settings) as these protocols are vulnerable to attacks as per the following public vulnerability:
SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566 -https://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
Important:
- This document does not cover all Oracle Fusion Middleware (FMW) products. This document covers the integrated core FMW products requiring steps to disable SSL. To better manage popular FMW integrations, additional references will be provided once the investigation is completed in the Alert. It is important to follow the above Alert for all products you use to check their status and references provided.
- If you are concerned about the use of specific SSL protocols to mitigate vulnerabilities, it is required to also follow the Critical Patch Update program. While the CVE-2014-3566 is a separate Alert, related fixes also entered the CPU program starting with January 2014. There are SSL/TLS fixes for previously reported issues and in some cases, patches are required to allow compatibility with newer client requirements or specific security features.
- Some browser clients may block and close connections seen as insecure. If you get the errors listed below, it means you should disable SSLv2 and SSLv3 from the server. If you have verified TLS is being used and still get the error, you need to apply the CPU patches as stated in this document for the version in use in order to establish a secure connection with the client. Ensure you have the latest OPatch (<Patch 6880880>) for your version before applying CPU patches or some updates can be inadvertently skipped.
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION
SSL call to NZ function nzos_Handshake failed with error 29014
SSL call to NZ function nzos_Handshake failed with error 29049
SSL call to NZ function nzos_Handshake failed with error 28864
<Note 1955915.1> SSL Handshake Fails with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION or SSL_ERROR_NO_CYPHER_OVERLAP Errors
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| How to Change SSL Protocols in Oracle Fusion Middleware Products |
| Solution |
| Follow Critical Patch Update (CPU) Program |
| Oracle WebLogic Server (WLS) 10.3.6, 12c |
| How to Configure JAVA_OPTIONS |
| More Details on Configuring SSL with Oracle WebLogic Server |
| Oracle HTTP Server (OHS) 12c |
| Oracle HTTP Server (OHS) 11g 11.1.1.7, 11.1.1.9 |
| Oracle Web Cache 11g 11.1.1.7, 11.1.1.9 |
| OPMN 11g (11.1.1.7, 11.1.1.9) |
| Database Client 11g (sqlnet.ora) Update |
| Oracle Application Server 10g |
| Oracle HTTP Server 10g |
| Oracle Web Cache 10g |
| OC4J 10g (10.1.3.5 only) |
| Other FMW 10g/11g/12c Products |
| References |