Undesired RC4 Ciphers Are Continually Used with WebLogic Server SSL Connections
Last updated on DECEMBER 11, 2017
Applies to:Oracle WebLogic Server - Version 10.3.6 and later
Oracle Fusion Middleware - Version 188.8.131.52.0 and later
Information in this document applies to any platform.
- When accessing an application with SSL, the link does not work and will not load in the browser. The following errors may be seen depending on your browser vendor (Chrome, Fire Fox, Internet Explorer):
- Some client browsers may report the use of RC4 ciphers and some security scans may be detecting RC4 ciphers.
- When using nmap utility, it can be seen that RC4 ciphers are available. See <Note 2241442.1> Using NMAP Tool to Test Available SSL Ciphers
- When examining the Weblogic AdminServer.log with SSL debug enabled, the following can be observed:
<Mar 16, 2016 11:51:38 AM EDT> <Debug> <SecuritySSL> <BEA-000000> <SSL_RSA_WITH_RC4_128_SHA>
<Mar 16, 2016 11:51:38 AM EDT> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_RC4_128_SHA>
<Mar 16, 2016 11:51:38 AM EDT> <Debug> <SecuritySSL> <BEA-000000> <SSL_RSA_WITH_RC4_128_MD5>
<Mar 16, 2016 11:51:38 AM EDT> <Debug> <SecuritySSL> <BEA-000000> <TLS_RSA_WITH_RC4_128_MD5>
Have updated the DOMAIN_HOME/config/config.xml and JAVA_HOME/jre/lib/security/java.security files with no success.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms