SSLv2 And SSLv3 Vulnerabilities Are Observed Even After Disabling SSLv2 And SSLv3. (Doc ID 2262686.1)

Last updated on JULY 21, 2023

Applies to:

Oracle API Gateway - Version 11.1.2.4.0 and later
Information in this document applies to any platform.

Goal

On Oracle API Gateway 11.1.2.4.0 base version, SSLv2 and SSLv3 were disabled using the below steps:

Listeners -> Ports -> https interface -> Advanced (SSL) tab

checked the check boxes:

Do not use the SSLv2 protocol
Do not use the SSLv3 protocol

Even after the changes, on testing, the below vulnerabilities are observed:

1. drown attached (SSLv2 supported)
2. SSL 2.0 deprecated protocol
3. poodle attack (SSLv3 supported)

Are there any other configuration changes necessary for the Gateway to disable SSLv2 and SSLv3?

Solution

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

Goal

Solution

References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

SSLv2 And SSLv3 Vulnerabilities Are Observed Even After Disabling SSLv2 And SSLv3. (Doc ID 2262686.1)

Applies to:

Goal

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!