SSL Handshake Fails After Changing Weblogic Servers SSL Implementation from Certicom to JSSE

(Doc ID 1960773.1)

Last updated on NOVEMBER 14, 2017

Applies to:

Oracle HTTP Server - Version 12.1.2.0.0 and later
Oracle WebLogic Server - Version 10.3.3 to 10.3.6
Oracle WebLogic Server - Version 12.1.1.0 and later
Information in this document applies to any platform.
This issue could also affect 11g OHS as the root of the problem is how SSL is handled differently between WLS' Certicom and JSSE.

Symptoms

SSL Handshakes are failing between Oracle HTTP Server(OHS) and Weblogic Server(WLS) where they were previously working.

Testing both OHS and WLS independently there are no SSL issues.

Requirements:
Oracle HTTP Server is in front of Weblogic Server.
SSL is being used throughout.
    -Client connects to OHS over SSL.
    -OHS connects to WLS over SSL.
JSSE SSL Implementation is being used in WLS.
WLS is enabled for 2 way ssl of "Client Certificates requested but not enforced"

The OHS logs show the following error:
12c:DOMAIN_HOME/servers/component_name/logs/

 

Changes

The SSL Implementation in WLS has changed from Certicom to JSSE. After this change the handshake between OHS and WLS no longer is successful.

Some background on the ssl implementations for WLS:
    -Before 10.3.3 (11g), Certicom SSL was the only SSL implementation.
    -In 10.3.3 thru 10.3.6 (11g), Certicom SSL is the default SSL implementation, with JSSE available by enabling a property switch.
    -In 12.1.1 and up (12c), JSSE is the default SSL implementation and Certicom was removed.
    -TLS 1.1 and 1.2 is only supported with a combination of JDK 7 Update 1 (or later) and JSSE enabled
    -With JSSE and JDK 7, higher security defaults are available (e.g updated ciphers)
    -TLS 1.0 is supported on all releases using either Certicom or JSSE implementation
    -Weblogic Server versions 10.3.6 and 12.1.1 and later are certified with JDK 7
Reference :  How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products (Doc ID 1936300.1)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms