Browser SSL issue & fix – For Weblogic only

We have found latest version of different browsers are not working with https. Please find details on this issue below.

 

Affected Browser:

  • > Chrome 45
  • > Firefox 40
  • > Internet explorer 11

 

Issue:

Security protocol used for https, SSLv3 has security vulnerability, it is known as POODLE(Padding Oracle On Downgraded Legacy Encryption) attack which can be used for Man-In-Middle attack.

Hence browser companies have stopped support for SSL 3.0 in latest versions, please read these articles for more details. Internet Explorer Firefox Chrome

In latest version of browsers we can see page like following on hitting https flow.

firefox ssl issue

chrome ssl issue

 

 

Fix:

Server must use >TLS 1.0 protocol instead of SSL 3.0.

Apache server is already configured with protocol > TLS 1.0. Hence no changes are required for environment where apache is configured correctly.

For the environments where application server ports (weblogic) are expected to be used over web server ports (Apache), please do following change.

 

  1. Stop application server
  2. Go to weblogic domain <Domain Name>/config
  3. Take back up of config.xml
  4. Edit original config.xml
  5. Search for Server name in the file e.g. “<name>ATGCommerce</name>”
  6. Look for ssl tag under this “<ssl>”
  7. Enter following two lines under SSL tag.

<use-java>true</use-java>

<jsse-enabled>true</jsse-enabled>

<ciphersuite>SSL_RSA_WITH_RC4_128_MD5</ciphersuite>

8. Save file

9. Start application server

 

Please follow the similar sequence of tags else there can be issue. Do not worry about tags you do not have in your config file.

 

ConfigFileSequence

 

Note:

This fix is to be used for development environments only, for TEST and higher environments web server (APACHE) is to be used.

If this fix is required in higher environments, confirmation from product company(Oracle) is must.