IPlanet And WebLogic Are Not Communicating While Disabling SSLv3 (enabling TLS) (Doc ID 2004083.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle WebLogic Server - Version 10.3.5 and later
Oracle iPlanet Web Server - Version 7.0 to 7.0 [Release 7.0]
Java SE JDK and JRE - Version 6 to 6 [Release 6]
Oracle Solaris on SPARC (64-bit)

Symptoms

You are  trying to configure the Proxy Plugin in iPlanet and also would like for this plugin to use only the TLS protocol.   You have not been able to make it work and are having different kinds of errors showing issues with missing the certificates in the wallet and when that seems fixed with ciphers (client and server do not have one common cipher to work with).

After enabling following command line -Djavax.net.debug=all -Dweblogic.debug.DebugSecurity=true -Dweblogic.debug.DebugSecuritySLL=true, we were able to see the following list of cipher suites as part of client hello :

<Debug> <SecuritySSL> <BEA-000000> <[Thread[ExecuteThread: '3' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NEED_TASK
bytesConsumed = 56 bytesProduced = 0.>
*** ClientHello, TLSv1
RandomCookie:  GMT: XXXXXXXXXX bytes = { X, XXX, XXX, XXX, XXX, XXX, XX, XX, XX, XXX, XXX, XX, XX, XXX, XX, XXX, XX, XX, XXX, X, XX, XXX, XXX, XX, XX, XX, XX, X }
Session ID:  {}
Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common

 
On client side we were able to confirm cipher suites being used by the proxy plugin:

                         [nzospLog] [SSL WRITE] length = 51
                         [nzospLog]  --- Decoded Record [subtype = 3] ---
 ClientHello[47]
   client_version
     TLSV1
   random[32]
     55 1C 45 6F 0F 9D AD 8B  7D CB DE 10 74 CC E8 87
     89 0D 02 02 F6 3F D9 EF  C9 61 89 70 FD 22 B7 27
   session_id[0]
   cipher_suites[8]
     TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
     TLS_DH_anon_WITH_RC4_128_MD5
     TLS_DH_anon_WITH_DES_CBC_SHA
     TLS_RENEGO_PROTECTION_REQUEST
   compression_methods[1]
     00

                         [nzospWrite] [Raw write] length = 56
                         [nzospRead] [Raw read] length = 0
                         [nzospRead]  <read error -6993>
                         [nzos_Handshake] exit
                         [nzos_Handshake] entry
                         [nzospRead] [Raw read] length = 0
                         [nzospRead]  <read error -6993>
                         [nzos_Handshake] exit
                         [nzos_Handshake] entry
                         [nzospRead] [Raw read] length = 0
                         [nzospRead]  <read error -6993>
                         [nzos_Handshake] exit

 

Changes

Recent proxy plugin updgrade, to 11.1.1.7 from 1.0, after restricting SSL protocol on WLS side using -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.protocolVersion=TLS1.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms