We have found latest version of different browsers are not working with https. Please find details on this issue below.
- > Chrome 45
- > Firefox 40
- > Internet explorer 11
Security protocol used for https, SSLv3 has security vulnerability, it is known as POODLE(Padding Oracle On Downgraded Legacy Encryption) attack which can be used for Man-In-Middle attack.
In latest version of browsers we can see page like following on hitting https flow.
Server must use >TLS 1.0 protocol instead of SSL 3.0.
Apache server is already configured with protocol > TLS 1.0. Hence no changes are required for environment where apache is configured correctly.
For the environments where application server ports (weblogic) are expected to be used over web server ports (Apache), please do following change.
- Stop application server
- Go to weblogic domain <Domain Name>/config
- Take back up of config.xml
- Edit original config.xml
- Search for Server name in the file e.g. “<name>ATGCommerce</name>”
- Look for ssl tag under this “<ssl>”
- Enter following two lines under SSL tag.
8. Save file
9. Start application server
Please follow the similar sequence of tags else there can be issue. Do not worry about tags you do not have in your config file.
This fix is to be used for development environments only, for TEST and higher environments web server (APACHE) is to be used.
If this fix is required in higher environments, confirmation from product company(Oracle) is must.