Ssl – Weblogic Mitigate POODLE vulnerability after upgrade and still use CBC ciphers

I recently upgraded my Weblogic server to 10.3.6 with java 7. So with that I have TLS1.0 – TLS 1.2 enabled via the setEnv.sh. Some of the ciphers I am using to make sure that they are compatible (supported by Weblogic, FF37, Chrome 44, etc) are as follows:

<ciphersuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA256</ciphersuite>
<ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</ciphersuite><ciphersuite>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>

This is in config.xml under the ssl tag. I do have JSSE enabled as well to make sure I can get a TLS1.2 connection.

The supported cipherlist for Weblogic 10.3.6 found here

One issue that I see with SSL Labs is that with these ciphers, I am still possibly vulnerable to POODLE.

An Nmap scan gave me this for what the ciphers are:

| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

Before TLS1.1 and TLS1.2 were enabled in setEnv.sh, I did not have this issue, so I am unsure why adding them changed what happened.
Now my question is how do I make sure that I have SSL3 disabled but still able to use some of the CBC ciphers? or have the support I need?

EDIT: I know that CBC ciphers are a no bueno kinda thing… I am open for suggestions for ciphers support TLS1.0+ and for a browser as low as IE 8.

Best Answer

Just make sure that you use a higher version of Java than 7u75 (it disables them by default) then I think enabling TLS1.0 only can cause the downgrade for SSLv3 then you could use -Dweblogic.security.SSL.protocolVersion=TLS1 and TLS1.1. You should have disabled CBC a long time ago https://community.qualys.com/thread/9974. So you might have conflicting requirements.

Best Answer

Related Solutions

Ssl – Possible to close port 80 and still use port 443

Ssl – How to use SSL behind a load balancer and still get the client IP

Related Topic