My Oracle Support Banner

Restricting Anonymous or Weak Ciphers in SSL (HTTPS) for Oracle Fusion Middleware 10g/11g/12c (Doc ID 453079.1)

Last updated on APRIL 04, 2019

Applies to:

Oracle HTTP Server - Version 10.1.2.0.2 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle Fusion Middleware - Version 10.1.2.0.2 and later
Oracle HTTP Server - Version 11.1.1.2.0 and later
Web Cache - Version 10.1.2.0.2 to 10.1.2.3.0 [Release AS10gR2]
Web Cache - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Goal

A third-party security adviser may have run a scan against a given Oracle Application Server 10g or Oracle Fusion Middleware 11g/12c architecture, and advice like the following may have been issued:

 "SSL Server Allows Anonymous Authentication Vulnerability"
   or
"SSL Server Allows Weak Ciphers"

Restricting weak or anonymous ciphers is actually a configurable setting. A security check may not be checking for a vulnerability, but the possibility that weak or anonymous ciphers are used. Consult your scanning vendor for exact details. Ensure it is known what http server port is being checked, as this can be checking the Oracle HTTP Server or Oracle Web Cache, each with separate cipher configurations.


Oracle's First Recommendation

Oracle cannot comment on any third-party scanning report. Its contents should not be minimized, but its suggestions should be reviewed with the third-party vendor in order to provide an exact configuration suggestion or an action to report an reproducible exploit to Oracle Security. Oracle's strongest recommendation is to always apply the latest Critical Patch Update for your Oracle products. These will address all known, applicable and fixed vulnerabilities:
<Note 1074055.1> Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products
The above document should be reviewed and patches applied before considering the contents of this document. The contents of this document provides cipher support for Oracle products and recommends using newer and stronger ciphers where possible and supported by your clients and applications. If a third-party vendor or security consultant recommends a specific cipher for your situation, you may configure these according to what is documented/supported for a given product.

To obtain the latest CPU for OHS and other required patches for compatibility, go to http://www.oracle.com/technetwork/topics/security/alerts-086861.html and obtain latest Security Advisory, then click the "Fusion Middleware" link within to find the latest cumulative Patch Availability Document. There are some patches which do update ciphers used for SSL.

--> Beginning with CPU October 2017, the following is part of CPU patching, referenced in patch readmes:
<Note 2314658.1> SSL Configuration Required to Secure Oracle HTTP Server After Applying Security Patch Updates



Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
 Oracle WebLogic Server (10.3.1+)
 Oracle Fusion Middleware 11g OPMN/ONS
 JDK Cipher Updates Impacting Oracle Fusion Middleware 11g
 Restricting Anonymous or Weak Ciphers When Using Oracle HTTP Server
 Oracle HTTP Server 12c
 Oracle HTTP Server 11g
 Oracle HTTP Server 10g
 Restricting Anonymous or Weak Ciphers When Using Oracle Web Cache
 Oracle Web Cache 11g
 Oracle Web Cache 10g
 Using Oracle Application Server Control 10g
 Restricting Anonymous and Weak Ciphers When Using OC4J Standalone
 Restricting Anonymous and Weak Ciphers Used by Grid Control OMS and Grid Agent
 Testing for Anonymous Ciphers
 OpenSSL 0.9x Example
 OpenSSL 1.0x Example
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.