SSL Handshake Fails After Changing Weblogic Servers SSL Implementation from Certicom to JSSE
(Doc ID 1960773.1)
Last updated on MARCH 01, 2019
Applies to:Oracle HTTP Server - Version 188.8.131.52.0 and later
Oracle WebLogic Server - Version 10.3.3 to 10.3.6
Oracle WebLogic Server - Version 184.108.40.206 and later
Information in this document applies to any platform.
This issue could also affect 11g OHS as the root of the problem is how SSL is handled differently between WLS' Certicom and JSSE.
SSL Handshakes are failing between Oracle HTTP Server(OHS) and Weblogic Server(WLS) where they were previously working.
Testing both OHS and WLS independently there are no SSL issues.
Oracle HTTP Server is in front of Weblogic Server.
SSL is being used throughout.
-Client connects to OHS over SSL.
-OHS connects to WLS over SSL.
JSSE SSL Implementation is being used in WLS.
WLS is enabled for 2 way ssl of "Client Certificates requested but not enforced"
The OHS logs show the following error:
The SSL Implementation in WLS has changed from Certicom to JSSE. After this change the handshake between OHS and WLS no longer is successful.
Some background on the ssl implementations for WLS:
-Before 10.3.3 (11g), Certicom SSL was the only SSL implementation.
-In 10.3.3 thru 10.3.6 (11g), Certicom SSL is the default SSL implementation, with JSSE available by enabling a property switch.
-In 12.1.1 and up (12c), JSSE is the default SSL implementation and Certicom was removed.
-TLS 1.1 and 1.2 is only supported with a combination of JDK 7 Update 1 (or later) and JSSE enabled
-With JSSE and JDK 7, higher security defaults are available (e.g updated ciphers)
-TLS 1.0 is supported on all releases using either Certicom or JSSE implementation
-Weblogic Server versions 10.3.6 and 12.1.1 and later are certified with JDK 7
Reference : How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products (Doc ID 1936300.1)
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document