Restricting Anonymous or Weak Ciphers in SSL (HTTPS) for Oracle Fusion Middleware 10g/11g/12c
Last updated on OCTOBER 26, 2017
Applies to:Oracle HTTP Server - Version 10.1.2.0.2 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle Fusion Middleware - Version 10.1.2.0.2 and later
Oracle HTTP Server - Version 22.214.171.124.0 and later
Web Cache - Version 10.1.2.0.2 to 10.1.2.3.0 [Release AS10gR2]
Web Cache - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
A third-party security adviser may have run a scan against a given Oracle Application Server 10g or Oracle Fusion Middleware 11g/12c architecture, and advice like the following may have been issued:
"SSL Server Allows Anonymous Authentication Vulnerability"
"SSL Server Allows Weak Ciphers"
Restricting weak or anonymous ciphers is actually a configurable setting. A security check may not be checking for a vulnerability, but the possibility that weak or anonymous ciphers are used. Consult your scanning vendor for exact details. Ensure it is known what http server port is being checked, as this can be checking the Oracle HTTP Server or Oracle Web Cache, each with separate cipher configurations.
Oracle's First Recommendation
Oracle cannot comment on any third-party scanning report. Its contents should not be minimized, but its suggestions should be reviewed with the third-party vendor in order to provide an exact configuration suggestion or an action to report an reproducible exploit to Oracle Security. Oracle's strongest recommendation is to always apply the latest Critical Patch Update for your Oracle products. These will address all known, applicable and fixed vulnerabilities:
<Note 1074055.1> Security Vulnerability FAQ for Oracle Database and Fusion Middleware ProductsThe above document should be reviewed and patches applied before considering the contents of this document. The contents of this document provides cipher support for Oracle products and recommends using newer and stronger ciphers where possible and supported by your clients and applications. If a third-party vendor or security consultant recommends a specific cipher for your situation, you may configure these according to what is documented/supported for a given product.
To obtain the latest CPU for OHS and other required patches for compatibility, go to http://www.oracle.com/technetwork/topics/security/alerts-086861.html and obtain latest Security Advisory, then click the "Fusion Middleware" link within to find the latest cumulative Patch Availability Document. There are some patches which do update ciphers used for SSL.
--> Beginning with CPU October 2017, the following is part of CPU patching, referenced in patch readmes:
<Note 2314658.1> SSL Configuration Required to Secure Oracle HTTP Server After Applying Security Patch Updates
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms