Setting SSL Certificate Nickname In PORT_ACCESS Mapping Bypasses ssladjustciphersuites (Doc ID 2882883.1)

Last updated on MAY 14, 2024

Applies to:

Oracle Communications Messaging Server - Version 8.1.0 and later
Information in this document applies to any platform.

Symptoms

Setting an SSL certificate nickname in PORT_ACCESS mapping bypasses ssladjustciphersuites.

The very last thing in PORT_ACCESS is:

If the same command is performed, except without the -cipher switch, from the same system, it succeeds and shows it is using ECDHE-RSA-AES128-GCM-SHA256. All good.
If that first command is performed from a system which is treated as "external", it succeeds and shows it is using EDH-RSA-DES-CBC3-SHA. This is incorrect.

It is expected that external clients in the PORT_ACCESS mapping table with disabled cipher suites should not be allowed.

Changes

In a new configuration, there was a need to set PORT_ACCESS to return a different certificate nickname based on the client IP address.
For connections from internal systems, the normal "Server-Cert" is used.
For connections from external clients, it is desired to use a different certificate, "MXexternalCert".

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Setting SSL Certificate Nickname In PORT_ACCESS Mapping Bypasses ssladjustciphersuites (Doc ID 2882883.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!