AnsweredAssumed Answered

Weblogic, SSL V2, and ssltest

Question asked by Steven Ostrove on Apr 10, 2014
Latest reply on Apr 10, 2014 by Steven Ostrove

The SSL Report for one of our WebLogic webservers was an "F" for two reasons.  They were:

 

"This server supports SSL V2, which is obsolete and insecure.  Grade set to F."

"This server supports anonymous (insecure) suites (see below for details). Grade set to F."

 

The second issue was fairly easy to remedy.  I specified which ciphers we wanted to support in the appropriate configuration file (config.xml) and a retest using ssltest confirmed that the Cipher Strength went from being in the brown with a value of 60, to being in the green with a value of 90.

 

The SSL V2 issue is harder to remedy.  According to Oracle documentation:

 

"WebLogic Server does not support SSL V2 communication, so the suggestion that it is being used is incorrect. WLS specifies TLS1.0 or SSL V3.0 as the preferred protocol in its SSL V2.0 client hello message, so while SSL V2 is used by WLS to send the client hello message, it is not used to communicate further."

 

I can see the logic of the ssltest in that a response is sent to the SSL V2 hello.  But, I think the automatic grade of "F" is also a bit misleading in this instance.

 

As my supervisor would like to see something other than an "F", does anyone have any suggestions?

 

Thanks in advance.

--

Steve Ostrove

UMBC


Outcomes