How to disable SSL renegotiation in weblogic 10.3

Similar Messages

• How to disable SSL Renegotiation

  Hi All,
  A security audit discovered one of our application's SSL termination, resides our ACE, supports SSL Renegotiation, which is, in their opinion, a security risk. As far I know, it is not supported to turn off this feature on ACE. Anyway, I want to be sure, before I reports this to the auditors. If you know, how to disable it, please share with me!
  We are running 3.0(0)A4(2.2).
  Regards,
  Tamas

  Thank you for your answer.
  Our running version is A5(2.0). It should have rehandshake disabled by default.
  Here are the outputs from some commands:
  ACE# sh run | i rehand
  Generating configuration....
  ACE# sh parameter-map SSL_TERMINATION
  Parameter-map : SSL_TERMINATION
  Description : -
  Type : ssl
      version                            : all
      close-protocol                     : none
      expired-crl                        : allow
      cdp-errors                         : reject
      authentication-failure any         : reject
      session-cache timeout              : disabled
      queue-delay timeout                : disabled
      Accepted cipher list:
        RSA_WITH_RC4_128_MD5 (priority:1)
        RSA_WITH_RC4_128_SHA (priority:1)
        RSA_WITH_AES_128_CBC_SHA (priority:10)
        RSA_WITH_AES_256_CBC_SHA (priority:1)
      rehandshake                        : disabled
      purpose-check                      : enabled
  As you can see there is no configuration command to activate rehandshake.
  So my question is if the rehandshake command only affects the ACE´s ability to do a rehandshake from its own side, but always lets the client do it if it wants to.
  It isn't easy to find details about this. And the only place where I have found i little bit of details says "Enables rehandshake, allowing the ACE to send an SSL HelloRequest message to its peer to restart SSL handshake negotiation", so it might just be in that direction.
  A followup question would be if it is possible to prevent the client from doing a rehandshake by a command in the ACE.
  If this behaviour is not the intention this has to be a bug and I would go to the TAC with it.
  I just want to know how the ACE is intended to work before I do that.
  Best Regards,
  /Torbjörn

• How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?

  my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
  I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
  Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.

  Hi Aamir,
     This is old software, been a while since I saw one of these.
      Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
      Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
      Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
     Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
  WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
  Regards,
  Luis

• ILOM, how to disable SSL v2?

  Hello
  Is there any possibility to disable SSL v2?
  I want to use HTTPS to connect to the server (Java Console) but it have to use SSL v3 only. Once trying to connect with v2 of SSL connection should not be established.
  Is there any possibility to do this?
  SP Firmware Version is: 3.0.3.20.e
  SP Filesystem Version 0.1.22
  Edited by: Luceks on Sep 2, 2009 4:28 AM

  Hi.
  You should have a SSL section under:
  1) Log in to the ILOM-SP WEB interface.
  2) Click --> Management --> SSL (or similar...)
  3)
  The SSL page appears. There're some sections to the SSL page.
  One section includes targets and properties and you can configure the SSL settings displayed
  in this section page (example):
  **SSL**
  State = Enabled | Disabled
  Roles = Administrator | Operator | Advanced | (none)
  Address = 0.0.0.0
  Port = 0
  4) Save settings page, to save any changes made to this section.
  s.

• How to configure SSL for Oracle Weblogic Server

  Hi,
  Please help me to configure SSL in oracle weblogic server.
  If possible, please provide step by step to configure SSL.

  this should help
  http://weblogic-wonders.com/weblogic/2010/05/19/configuring-ssl-on-weblogic-server-custom-identity-custom-trust/

• How to disable SSL V3 via GPO on a win2008R2 server

  Hi everyone
  because of this new Poodle threat involving SSL v3,  I need to disable SLL v3 on our network, via Group policy.
  There's plenty of post on how to do this  ie 
  https://technet.microsoft.com/library/security/3009008.aspx
  But the problem is, the option needed, isnt available!
  II need to find the option  Turn off Encryption Support . 
  I can do this using a local  GPO, but as soon as I jump on the DC, and go to the same settings, its not there.
  This is a Win2008 R2 server based network, running IE10 and IE11.
  I've tried adding the GPO templates for both IE10 and IE11, but there appears to be no difference, the option is still missing,
  anyone got any ideas?
  thanks
  G.

  I updated the admx and adml files in my central store to IE 11 ones and it added the option. Hope that helps. http://www.microsoft.com/en-us/download/details.aspx?id=40905

• Disabling SSL Renegotiation in Java

  I am using jdk 1.6 update 22 built. In my SSL server code, I hava explicitly:
  System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "false");
  System.setProperty("sun.security.ssl.allowLegacyHelloMessages", "false");
  Then, I used openssl s_client -connect command to test and found out the renegotiation still enable. Pls advice on what is actual way of disabling it.

  Here is the part of ssl debug from server side:
  Thread-1, READ: TLSv1 Handshake, length = 128
  Allow unsafe renegotiation: false
  Allow legacy hello messages: false
  Is initial handshake: false
  Is secure renegotiation: true
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1326076465 bytes = { 195, 102, 145, 176, 167, 150, 9, 162, 47, 62, 214, 163, 120, 118, 26, 152, 69, 200, 72, 61, 175, 174, 252, 236, 120, 20
  4, 18, 86 }
  Session ID: {}
  Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS
  _WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA
  _WITH_IDEA_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SS
  L_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_RSA_EXPOR
  T_WITH_RC4_40_MD5]
  Compression Methods: { 0 }
  Extension renegotiation_info, renegotiated_connection: 3c:6d:0b:aa:47:f4:d1:63:05:4b:cb:f8
  Unsupported extension type_35, data:
  %% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
  %% Negotiating: [Session-2, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1326076452 bytes = { 238, 57, 234, 189, 103, 165, 225, 15, 14, 39, 146, 76, 2, 106, 174, 240, 176, 192, 176, 239, 254, 212, 35, 207, 90, 61,
  71, 204 }
  Session ID: {79, 10, 82, 36, 145, 206, 200, 58, 8, 62, 53, 177, 184, 159, 162, 24, 188, 126, 183, 111, 211, 236, 89, 112, 2, 217, 27, 34, 183, 180, 160, 202}
  Cipher Suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  Compression Method: 0
  Extension renegotiation_info, renegotiated_connection: 3c:6d:0b:aa:47:f4:d1:63:05:4b:cb:f8:fa:2a:58:cb:84:5d:07:16:25:c6:3e:ec
  Cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  You can see both properties set to false already.

• How to configure SSL certificates on weblogic 10.3.5?

  Hi everybody,
  i' ve got 2 certificates: Server and Intermediate CA. I used java keytool command to import these two certificates into new keystore:
  keytool -import -v -alias server_cert -file certificate.pem -keystore keystore.jks
  keytool -import -v -alias intermediate_ca -file intermediate.pem -keystore keystore.jks
  Then as weblogic 10.3.5 documentation says i need to use ImportPrivateKey utility in order to import private key into keystore, so i use this command:
  java utils.ImportPrivateKey -keystore private.jks -storepass password -keyfile mykey -keyfilepass password -keyfile private.pem -alias private
  and get the following error:
  Exception in thread "main" java.lang.NoClassDefFoundError: utils.ImportPrivateKey
  at gnu.java.lang.MainThread.run(libgcj.so.7rh)
  Caused by: java.lang.ClassNotFoundException: utils.ImportPrivateKey not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:./], parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null}}
  at java.net.URLClassLoader.findClass(libgcj.so.7rh)
  at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
  at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
  at gnu.java.lang.MainThread.run(libgcj.so.7rh)
  Any ideas? Thanks.
  Regards,
  Karolis M.

  Hello,
  Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
  look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
  I suggest that you change the default configuration (not using the demo one),
  then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
  opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
  once your certificated is added to your trust store it should work.
  I hope it will help.

• How to configure SSL in standalone weblogic server for ADF apps

  Hello,
  I'm new to weblogic, Could anyone provide documentation/blog references to configuring SSL in weblogic for adf application. Currently adf application deploys on http I need it to deploy as https.
  Appreciate your response
  Thanks and Regards

  Expand Environment > Click on Server > Click on Keystores Tab
  Under Keystores you have some options like DemoIdentity & Demo Trust.
  If u want to use the default keystores, you dont have to modify these configuations.
  Just enable SSL and specify the listen port.
  Expand Environment > Click on Server > General
  SSL Listen Port Enabled
  SSL Listen Port:
  If u want to use your own keystore Select Custom Identity and Custom Trust besides Keystores Drop Down and specify the require values.
  If u need any clarification let me knw.
  HTH,
  Faisal
  http://download-llnw.oracle.com/docs/cd/E11035_01/wls100/secmanage/ssl.html

• How to disable ssl in messenger express

  Our ssl cert is about to expire. We applied a new one yesterday
  and it worked. But after a restart of the system, we could not
  get the webmail working.
  We have no time to investigate now. So it might be simpler
  to disable the ssl in httpd, i.e. reverting to the original
  http://our.mail.system
  (instead of https://our.mail.system)
  Note: right now
  all
  http:// are automatically switched to https://
  Pls tell me to way to disable it
  Thanks

  In UWC set uwcauth.ssl.authonly=false in /var/opt/SUNWuwc/WEB-INF/config/uwcauth.properties file and restart web container.

• How to disable distributed transaction in Weblogic 8.1?

            Hi I'm using WL8.1 running EJB. I wish to disable distributed transaction, whatever
            that is. It is preventing me from doing and AutoCommit(true) in my database. Please
            help. Thanks!
            

  You cannot disable transactions if you are using entity EJBs but you can
            get your connections from a non-TX DataSource (just define a regular
            DataSource and not TXDataSource in your configuration) and then those
            connections will not be transaction aware so you'll be able to do
            setAutoCommit(true) in fact it might already be the default setting when
            you get the connection.
            Regards,
            Dejan
            Fred wrote:
            >Hi I'm using WL8.1 running EJB. I wish to disable distributed transaction, whatever
            >that is. It is preventing me from doing and AutoCommit(true) in my database. Please
            >help. Thanks!
            >
            >
            

• How to disable sslv2 on windows server 2008 r2

  we are getting alerts from our third party application regarding the vulnerability error in our doamin.they mentiojn the following  vulnerability message
  Abp

  https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• How to get SSL certificates in JRun

  I have some problems in using JRun 3.1 with apache 2.0 in
  microsoft Windows XP professional.
  I want to get SSL peer certificates in a jsp file. But it was
  always failed.
  Could you tell me how to get the remote user's certificate.
  content of JSP file:
  boolean isSecure = request.isSecure();
  if(isSecure)
  X509Certificate[] certChain =
  (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
  if(certChain!=null)
  else
  out.println("<br>User certificate is
  null.<br>");
  ...

  Configuring Commercial certificates on weblogic server
  http://weblogictips.wordpress.com/2008/07/27/configuring-commercial-certificates-on-weblogic-server/
  How to debug SSL issues with weblogic server
  http://weblogictips.wordpress.com/2010/05/11/how-to-debug-ssl-issues-with-weblogic-server/
  Steps to create self sign certificates for weblogic server
  http://weblogictips.wordpress.com/2008/07/27/steps-to-create-self-sign-certificates-for-weblogic-server/
  thanks,
  sandeep

• Disable SSL 2.0 on Windows 2008 R2

  Hi.
  Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work.
  Regards,
  Morris
  Best Regards, Morris Fury AFRIDATA.net

  Morris -
  Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see
  this in the following registry value:
  Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
  Value: DisabledByDefault
  Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection
  to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it.
  Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1.
  Hope this helps,
  Jonathan Stephens
  This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can
  be beneficial to other community members reading the thread.

• How to disable SNI on Windows 2012 ADFS server?

  Hello,
  Could you please let me know how to disable the SNI in Widnows 2012 ADFS Server.
  Wanted to configure the NetScalers as both proxy and load balancer for ADFS.
  Regards
  Jay

  https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.