Webcache 10.1.2 does not support TLS1.0/SSL3.1 out-of-the-box
10 January 2007 at 20:12 CET | In AppServer, Oracle |We run Oracle Webcache version 10.1.2.0.2 and had troubles connecting to application behind the webcache using the newly released Internet Explorer 7 and from a J2SE 6 Java Virtual Machine. It turns out that Oracle Webcache does not support the latest SSL cipher suite TLS1.0 (also known as SSL3.1) out-of-the-box.
The webcache.xml has a LISTEN element to configure the listening ports. When using SSL this has an SSLENABLED attribute. By default this is set to “SSLV3_V2H”. As it turns out this setting does not support the newer TLS1.0 cipher suite. Internet Explorer 6 did not use TLS1.0 with the default configuration. As it turns out J2SE 6 does use TLS1.0 by default and we had some installations of Internet Explorer 7 that were also configured to use TLS1.0. Some other installations of Internet Explorer 7 where configured differently. Perhaps this was a difference between the beta and final release.
The Webcache guide does not have anything on this parameter. The only related documentation I could find is Metalink Note 342626.1 and a PDF on securing Oracle Application Server. The Metalink Note just advices to change the SSLENABLED parameter from SSLV3_V2H to SSL without really explaining why. The PDF on hardening an application server advices to do the opposite; change from SSL to SSLV3_V2H for extra security. All I want to do is enable the more secure TLS1.0 cipher suite and the PDF suggests I’m opening a security hole with the workaround from the Metalink Note.
I’ve asked Oracle support to document the behavior of the different values I can use for the SSLENABLED parameter. Let’s hope they come up with a satisfactory answer. Until then it’s running the risk of a potential security hole or configure your clients to not use TLS1.0 which is also less secure.
Update 13-jan-2007: Oracle support replied with the possible settings for SSLENABLED and their meaning:
- NONE - No SSL support
- SSLV3 - NZ setting of nzos_Version_3_0 - SSL protocol version 3
- SSLV3_V2H - NZ setting of nzos_Version_3_0_With_2_0_Hello - SSL protocol version 3 with support of version-2 hello message
- SSLV2 - NZ setting of nzos_Version_2_0 - SSL protocol version 2
- SSL - NZ setting of nzos_Version_Undetermined - no specific version specified
The setting of SSL will accept both SSLv2, SSLv3 and TLSv1 connections. This confirms my testing that SSL is the only setting that adds support for the latest TLS1.0 cpher suite. Unfortunately this also adds support for SSL version 2, which is not secure by today standards.
Since the newer browsers and clients will start using TLS1.0, Webcache administrators will want to enable TLS1.0 support. Currently this also means supporting SSLv3. I’ve asked Oracle support to file an enhancement request to get this fixed and add a setting that only supports SSLv3 and TLSv1
11 Comments
Sorry, the comment form is closed at this time.
Categories:
- Oracle (113)
- AppServer (12)
- Database (14)
- Bugs and issues (2)
- Features and tips (4)
- Other (3)
- Patches and upgrades (3)
- PL/SQL programming (2)
- Designer (5)
- Forms (47)
- 6i to 10g upgrade (4)
- Bugs and issues (5)
- Features and tips (4)
- Other (3)
- Patches and upgrades (4)
- Signing and certificates (3)
- SUN JPI/JVM (9)
- Web components (17)
- Workshops and demos (4)
- JDeveloper (30)
- Demos (4)
- Designer to JDeveloper (3)
- Features and tips (8)
- Other (2)
- Upgrades and versions (5)
- Workshops & trainings (7)
- JHeadstart (6)
- ODTUG 2007 (6)
- ODTUG 2008 (5)
- OpenWorld 2007 (15)
- Reports (2)
- SOA (3)
- BPEL (1)
- XML Publisher (2)
- Other (36)
- Blogging (15)
- Personal (14)
- Software development (6)
- Uncategorized (3)
Archives:
- October 2008 (1)
- September 2008 (3)
- June 2008 (6)
- May 2008 (1)
- April 2008 (3)
- February 2008 (2)
- January 2008 (1)
- December 2007 (1)
- November 2007 (5)
- October 2007 (4)
- August 2007 (1)
- July 2007 (2)
- June 2007 (12)
- May 2007 (6)
- March 2007 (1)
- February 2007 (3)
- January 2007 (5)
- December 2006 (2)
- November 2006 (2)
- August 2006 (2)
- July 2006 (2)
- June 2006 (5)
- May 2006 (2)
- April 2006 (2)
- March 2006 (3)
- February 2006 (1)
- January 2006 (5)
- December 2005 (1)
- November 2005 (4)
- October 2005 (1)
- September 2005 (14)
- August 2005 (6)
- July 2005 (11)
- June 2005 (8)
- May 2005 (9)
- April 2005 (2)
Links
- Andrej Koelewijn - IT-Eye
- Commit Consulting - Me as an independent consult
- Eurotransplant - Employer
- Fascino Design - My Wife’s Site
- Forms JDAPI
- Grant Ronald - Oracle
- Jaap Poot - Blog of our DBA
- Metalink
- OraBlogs
- Oracle TechNet
- Sue Harper - Oracle
Recent Comments:
china phone: Love this post! Cool WP template list here. I will used them in my personal blog. Thank you for sharing...
Tim Daniell: Hi Srivatsa, We use a Form for our menu in GUI as we did in Character mode. We ended up re-writing our...
Alleinunterhalter: thank you for the great help
srivatsa: @ Tim, We are migrating oracle froms from 4.5 to 6i both based on window and character mode. We have...
Teknoloji: Thanks for articles
Eğitim: Thanks for articles
selenagame: thanks very nice post
Recent Posts:
Meta:
RSS feed
-
Unless otherwise stated, all original material created by Wilfred van der Deijl and included on this blog and any related pages, including the archives is licensed under a Creative Commons License.
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Once again thanks for posting some very useful information, it’s very appreciated. I can mention, that we had to disable WebCache completely in order to remedy some specific SSL problems as well, they might be related to this, even though we are not using Java 1.6 in production (yet), where this issue happened.
Keep up the good work.
Comment by Jacob — 10 January 2007 #
Initially we also ran without webcache because it is not very useful for Oracle Forms. Later on we did decide to place webcache before Forms and our J2EE web applications.
Main reason for this was not to support caching, but to have a reverse proxy in which we can hide the URL of the origin server from the user. This allows us to move applications between origin servers while keeping the same external URL on the webcache server.
All our applications have URLs with the same hostname. This allows the use of a single SSL certificate for 15+ separate applications. Webcache allows us to purchase only a single SSL certificate and use http://hostname/application URLs while we still have the freedom to move applications between different physical hosts.
Comment by wilfred — 11 January 2007 #
Oracle support confirmed it is currently not possible to add support for TLSv1 without also adding support for SSLv2, which is seen as unsecure by today’s standards. I’ve asked for a enhancement request to get this corrected.
Comment by wilfred — 13 January 2007 #
Hi,
Thanks for you artical.
Is It mean to bug for aNull Authentication. When You run following command It bypass Null Authentication in Oracle Web Cache.
openssl s_client -connect target_host_ip:443 -cipher “aNull” -state -debug.
Can you have any idea of Which CiPHER SUITE to protect webcache , http server 10g Release 2?
Regards,
Praful
Comment by Praful — 2 March 2007 #
Thanks,
Praful
Comment by Praful — 2 March 2007 #
Praful,
I’m sorry but I really don’t understand what your question is.
Comment by wilfred — 3 March 2007 #
Oracle WebCache has following Vulnerability issue.
SSL Server Allows Anonymous Authentication with TLS 1.0 Vulnerability
openssl s_client -connect target_host_ip:443 -cipher “aNull” -state -debug.
Is there any setting in WebCache.xml to prevent Anonymouse Authentication.
Current Setting in WebCache.xml as follow.
SSLENABLED=”SSLV3_V2H”
STRONG_CRYPTO_ONLY=”YES”
Do you any idea of Oracle Patch p4960210_10122_WINNT will fix this issue ?
Thanks.
Storng
Comment by Praful — 4 March 2007 #
Praful,
I don’t know what bugs are fixed in 10.1.2.2.0. There is a long list of fixed bugs on MetaLink but you would probably need the bugnumber of the vulnerability to see if it is on the list.
I guess you’re best of contacting Oracle Support at http://metalink.oracle.com and report this issue. They can see if the bug has been reported before and if it has been fixed.
Comment by wilfred — 4 March 2007 #
Hi Jacob,
You mention, that you had to disable WebCache completely in order to remedy for fix SSL Issue.
Can you share your webcache disable instruction & trouble shooting tips.
Regards,
Praful
Comment by Praful — 6 March 2007 #
Finally, we were able to resolve the Oracle AS 10.1.2.0.2 - SSL SERVER ALLOWS ANONYMOUS AUTHENTICATION VULNERABILITY PORT 443/TCP OVER SSL. This was a frustrating issue. We ended up installing the 10.1.2.2 Patchset, (Patch 4960210). The key after installing the patch is to manually modify the webcache.xml and restart webcache. You will need to add the ANON_CRYPTO_FORBIDDEN=YES and STRONG_CRYPTO_ONLY=YES parameters in the webcache.xml file per the patch installation instructions. For example:
“LISTEN IPADDR=”ANY” PORT=”443″ PORTTYPE=”NORM” SSLENABLED=”SSLV3_V2H” STRONG_CRYPTO_ONLY=”YES” ANON_CRYPTO_FORBIDDEN=”YES” Key=”IPAD
DR PORT”
This interface removed the syntax from the previous line. Follow the installation instructions 9.11.2 Disable Use of Diffie-Hellman Anonymous Cipher Suites, Bug 5577648
hope this helps!
chuss
Comment by chuss — 1 April 2007 #
PS: you will now be able to observe that the openssl command will fail trying to connect to your server:443 whereas it succeeded on the un-patched system.
chuss
Comment by chuss — 1 April 2007 #