My Oracle Support Banner

Proactively Updating SSL Protocols, Ciphers, and Certificates for Oracle Fusion Middleware - WLS/OHS/WebCache (Doc ID 2131521.1)

Last updated on FEBRUARY 08, 2024

Applies to:

Web Cache - Version 11.1.1.2.0 and later
Oracle WebLogic Server - Version 10.3.2 and later
Oracle Fusion Middleware - Version 11.1.1.2.0 and later
Oracle HTTP Server - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Goal

Overview

This document outlines the steps to take when a security scan detects an older SSL configuration is in place or if you are proactively updating your configuration for SSL protocols, ciphers or certificates.

Vulnerability FAQ and Security Scan Reports

In general, Oracle cannot comment, validate, or act on a third-party security scan reporting a vulnerability issue on your installed Oracle Fusion Middleware products.
It is important to review "3. Scan Reports" section from "Note 1074055.1 Security Vulnerability FAQ for Oracle Database and Fusion Middleware Product".

Verify with the scan vendor, but some reports are actually looking for a newer SSL configuration, generically reporting like the following:

SSL/TLS Server Factoring RSA Export Keys
SSL/TLS use of weak RC4 cipher
SSL Server Supports Weak Encryption Vulnerability
SSL/TLS server supports key exchanges that are cryptographically weaker than recommended

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 Overview
 Vulnerability FAQ and Security Scan Reports
Solution
 1. Ensure you are on a supported version to apply latest Critical Patch Update
 2. Find SSL protocol, cipher and certificate information for your product
 3. Interpret any security scan report one line item at a time
 Steps to follow for Oracle WebLogic Server
 Steps to follow for Oracle HTTP Server
 Steps to follow for Oracle Web Cache
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.