Wednesday, May 12, 2021

How to change/configure TLS/SSL protocols in Weblogic

 TLS 1.2 is the default minimum protocol version configured in WebLogic Server 14.1.1.  TLS 1.3 support is available in WebLogic Server versions that are certified with Java SE implementations supporting TLS 1.3 in JSSE. e.g., TLS 1.3 support is available in WebLogic Server 14.1.1 when using Java SE 11 or JDK 8 u261+.

Note that  TLS 1.3 support is available in WebLogic Server 12.2.1.4 or 12.2.1.3 with JDK 8 u261+.

We can disable old version by setting up minimum supported protocol in JAVA_OPTS

-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

Note the above setting is only affects inbound connections. If we have an application on Weblogic making outbound call to other applicaiton (ex Ldap ) then look for below section .

For Outbound Connections

To control the outbound connections the following JAVA_OPTIONS system property is available:

Example to allow all TLS protocols for the most common SSLSocket or SSLSocketFactory classes:

-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2
Applications using the HttpsClient or HttpsURLConnection classes can use the https.protocols system property:

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

You should also disable SSLv2 Client Hello in WLS startup scripts:

-Dweblogic.ssl.SSLv2HelloEnabled=false

The jdk.tls.client.protocols system property is available since 7u95 and 6u121 to be able to set this. All versions of JDK 8 support this. In other words, older JDK versions only support TLS 1.0 for outbound client connections.

A common method to test is by setting options on your browser and testing one protocol at a time. If you only want TLS 1.2 to work, then disable all other protocols in your browser settings.

If you have openssl on your system, you can test to ensure what you have configured is working with the following commands to connect:

openssl s_client -connect <hostname:port> -ssl3
openssl s_client -connect <hostname:port> -tls1
openssl s_client -connect <hostname:port> -tls1_1
openssl s_client -connect <hostname:port> -tls1_2
openssl s_client -connect <hostname:port> -tls1_3
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured

Weblogic Domain Migration

 In this blog we will see domain re-configuration which will be done as part of Weblogic migration from lower version to higher version [ Ex...