My Oracle Support Banner

SSL Configuration Required to Secure Oracle HTTP Server After Applying Security Patch Updates (Doc ID 2314658.1)

Last updated on SEPTEMBER 20, 2019

Applies to:

Oracle HTTP Server - Version 11.1.1.7.0 and later
Information in this document applies to any platform.

Details

Overview

Beginning with October 2017, this document is provided to align with patches released with the Critical Patch Update (CPU) program:

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Refer to the above link to obtain the latest Advisory, and then the Fusion Middleware Patch Availability Document to find the latest patches.

For any version not listed, see the Security Advisory for Supported Versions.

Actions

Ensure you have applied CPU patches for Oracle HTTP Server (OHS) and Oracle Security Service (OSS). The details in this document require that these be applied in addition to the suggested configuration.

 

Follow the below advice for your Oracle HTTP Server version:

OHS 12.2.1.3

Patches are not required for 3DES and RC4 issues. Security fixes are already included for these CVEs. Cipher suites that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard (3DES) algorithms are deprecated beginning with Oracle HTTP Server version 12.2.1.3. All new instances created will have the updated configuration in place by default.

Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.2.1.3)
G.3.3 SSLCipherSuite
https://docs.oracle.com/middleware/12213/webtier/administer-ohs/GUID-C76BCA2A-9C28-4D16-9758-9346FBCF7512.htm#HSADM1016


Beginning with the July 2019 CPU, ciphers using Cipher block chaining (CBC) mode are fixed when OSS Bundle Patch. There is no requirement from Oracle to remove CBC ciphers.

Beginning with the July 2019 CPU, SSL certificates the MD5 algorithm will no longer be accepted after applying the OSS Bundle Patch. See the following documentation:

Upgrading Oracle HTTP Server to 12c (12.2.1.3.0)
https://docs.oracle.com/en/middleware/lifecycle/12.2.1.3/ohsup/replacing-md5-certificate-sha-2-ssl-certificate.html#GUID-6C37A00C-A306-4793-9EC2-78BF9F8C9018
A.1 How to Check whether Certificate Signed with MD5 Algorithm is Present in the Wallet?
A.2 Removing Certificate Signed with MD5 Algorithm from the Wallet
A.3 Adding Certificate Signed with SHA-2 Algorithm to the Wallet

You may also be inclined to update your SSL certificates to the newer standard, see <Note:2110254.1> How to Configure Oracle HTTP Server to Use ECC Certificates and ECDHE_ECDSA CipherSuite 


OHS 12.2.1.2

Note: OHS 12.2.1.2 expired error correction support AUG 2018, as per <Note:1933372.1>. Because of this, security issues after this time will no longer be considered.

The following ciphers are deprecated in this release:

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA

After applying patches from CPU October 2017 (or newer), all new instances created will have the updated configuration in place by default. Currently configured instances will require an update from the administrator.

You may find your .conf files have a directive called SSLCipherSuite; (minimally ssl.conf, but there may be others depending on your configuration). This directive uses a cipher specification string to identify the cipher suite. If this directive contains ciphers that are deprecated in this release, remove them from the cipher specification string.

Examples:

Disable all older RC4 and 3DES cipher suites:

SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:!RC4:!3DES


Alternatively, enable only the valid ciphers for this release:

SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA


Reference:
Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.2.1.2)
G.3.3 SSLCipherSuite
https://docs.oracle.com/middleware/12212/webtier/administer-ohs/directives.htm#HSADM1016

Note: You may also be inclined to update your SSL certificates to the newer standard, see <Note:2110254.1> How to Configure Oracle HTTP Server to Use ECC Certificates and ECDHE_ECDSA CipherSuite 

OHS 12.2.1.1

Note: OHS 12.2.1.1 expired error correction support OCT 2017, as per <Note:1933372.1>. Because of this, security issues after this time will no longer be considered.

The following ciphers are deprecated in this release:

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA

After applying patches from CPU October 2017 (or newer), all new instances created will have the updated configuration in place by default. Currently configured instances will require an update from the administrator.

You may find your .conf files have a directive called SSLCipherSuite; (minimally ssl.conf, but there may be others depending on your configuration). This directive uses a cipher specification string to identify the cipher suite. If this directive contains ciphers that are deprecated in this release, remove them from the cipher specification string.

Examples:

Disable all older RC4 and 3DES cipher suites:

SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:!RC4:!3DES

Alternatively, enable only the valid ciphers for this release:

SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA

  
Reference:
Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.2.1.1)
G.3.3 SSLCipherSuite
https://docs.oracle.com/middleware/12211/webtier/administer-ohs/directives.htm#HSADM1016

Note: You may also be inclined to update your SSL certificates to the newer standard, see <Note:2110254.1> How to Configure Oracle HTTP Server to Use ECC Certificates and ECDHE_ECDSA CipherSuite 

OHS 12.1.3.0

Note: OHS 12.1.3 will expire Premier Support DEC 2018. See <Note:1933372.1> for more details.

The following ciphers are deprecated in this release:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE_RSA_WITH_RC4_128_SHA
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

After applying patches from CPU October 2017 (or newer), all new instances created will have the updated configuration in place by default. Currently configured instances will require an update from the administrator.

You may find your .conf files have a directive called SSLCipherSuite; (minimally ssl.conf, but there may be others depending on your configuration). This directive uses a cipher specification string to identify the cipher suite. If this directive contains ciphers that are deprecated in this release, remove them from the cipher specification string.

Examples:

Disable all older RC4 and 3DES cipher suites:

SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:+LOW:!RC4:!3DES

  
Alternatively, enable only the valid ciphers for this release:

SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

 

SSLCipherSuite RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Note: This is limiting ciphers available, ensure this is compatible with clients and servers connecting to OHS. Only 2 of the above 4 would be available depending on if you have an RSA or ECC certificate. See also <Note 2573251.1> Critical Patch Update July 2019 Mitigation Steps for OHS/OSS 12.1.3 Patches



Reference:
Oracle Fusion Middleware Administering Oracle HTTP Server 12c (12.1.3)
mod_ossl
https://docs.oracle.com/middleware/1213/webtier/administer-ohs/directives.htm#HSADM1013


OHS 11.1.1.9

Note: OHS 11.1.1.9 expired Premier Support DEC 2018. See <Note:1290894.1> for more details. It is expected to have an Extended Support license after this time.

Remove ciphers that are deprecated in this release.

The following ciphers that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard(3DES) are deprecated in this release:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA

After applying patches from CPU October 2017 (or newer), all new instances created will have the updated configuration in place by default. Currently configured instances will require an update from the administrator.


To address the above mentioned CVEs for insecure ciphers, you will find your .conf files have a directive called SSLCipherSuite; (minimally ssl.conf and admin.conf, but there may be others depending on your configuration). This directive uses a cipher specification string to identify the cipher suite. If this directive contains ciphers that are deprecated in this release, remove them from the cipher specification string.

Examples:

Disable all older RC4 and 3DES cipher suites:

SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:!RC4:!3DES

  
Alternatively, enable only the valid ciphers for this release:

SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384


Reference:
Fusion Middleware Administrator's Guide for Oracle HTTP Server
mod_ossl
https://docs.oracle.com/middleware/11119/webtier/administer-ohs/directives.htm#CIHIAIDB




OHS 11.1.1.7

Note: OHS 11.1.1.7 will expire error correction support DEC 2018 as per <Note:1290894.1>. Because of this, security issues after this time will no longer be considered.

 

In addition to patches, remove protocols and ciphers that are deprecated in this release by following these steps:


1. Disable SSLv2 and SSLv3 from your configuration.

A. SSLProtocol - CVE-2014-3566
This directive specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. This directive may be present in multiple configuration files. It is present in ORACLE_INSTANCE/config/OHS/<OHS name>/ssl.conf, ORACLE_INSTANCE/config/OHS/<OHS name>/admin.conf and any other custom files that you may have added.

Change this directive to disable SSLv2, SSLv3 protocols in any of the following ways:

To allow the one TLS protocol currently supported in this version:

SSLProtocol -All +TLSv1

or
To allow for future scaling without interruption to newer TLS version if later upgraded:

SSLProtocol All -SSLv2 -SSLv3

or
Use what is configured with EM Fusion Middleware Control:

SSLProtocol nzos_Version_1_0

  

B. SSLProxyProtocol
Your .conf files may have a directive called SSLProxyProtocol that specifies SSL protocol(s) for mod_ossl to use when establishing a proxy connection in the server environment. This directive may be present in multiple configuration files including any custom files that you may have added. This directive must also be configured to disable SSLv2, SSLv3 protocols in a manner similar to what is described for SSLProtocol.

2. Remove ciphers that are deprecated in this release.

SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBS_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
The following anon ciphers are deprecated in this release:
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA

After applying patches from CPU October 2017 (or newer), all new instances created will have the updated configuration in place by default. Currently configured instances will require an update from the administrator.

You may find your .conf files have a directive called SSLCipherSuite; (minimally ssl.conf, but there may be others depending on your configuration). This directive uses a cipher specification string to identify the cipher suite. If this directive contains ciphers that are deprecated in this release, remove them from the cipher specification string.

Examples:

Disable all older low encryption cipher suites and those which support anonymous authentication (aNULL and eNULL):

SSLCipherSuite HIGH:MEDIUM:!LOW:!NULL:!aNULL:!eNULL:+SHA1:+MD5:+HIGH:+MEDIUM:!RC4:!3DES

Alternatively, enable only the valid ciphers for this release:

SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA

Reference:
Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server 11g Release 1 (11.1.1.7)
E.4.4 SSLCipherSuite
https://docs.oracle.com/cd/E28280_01/web.1111/e10144/directives.htm#CIHGAFGD

 

 

Contacts

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Details
 Overview
Actions
 OHS 12.2.1.3
 OHS 12.2.1.2
 OHS 12.2.1.1
 OHS 12.1.3.0
 OHS 11.1.1.9
 OHS 11.1.1.7
Contacts
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.