1.5.2 Choice of the SSL Cipher Suite

This topic describes about choice of the SSL cipher suite.

Oracle WebLogic Server allows SSL clients to initiate the SSL connection with a null cipher suite. The null cipher suite does not use any bulk encryption algorithm, as a result of which all data is transmitted over the wire.

The default configuration of Oracle WebLogic Server is to disable the null cipher suite. Make sure that the usage of the null cipher suite is disabled, preventing any client from negotiating an insecure SSL connection.

For installations with regulatory requirements that use high cipher suites, the Oracle WebLogic Server can be configured to support only certain cipher suites. The WebLogic domain can be restricted to config.xml.

Below is an example for config.xml that restricts the cipher suites to those supporting 128-bit symmetric keys or higher. It uses RSA for key exchange.

....
<ssl>
      <enabled>true</enabled> 
      <ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>
<ssl>
....

• The configuration of WebLogic Server to support the above cipher suites requires passing an additional command line argument to the WebLogic Server so that the FIPS 140-2 compliant crypto module is utilized. This is done by adding -Dweblogic.security.SSL.nojce=true as a JVM argument.
• The restriction on cipher suites must be done for every managed server.
• The order of cipher suites is important. Oracle WebLogic Server selects the first cipher suite available in the list, which also has client support.
• Cipher suites with RC4 are enabled despite it being second best to AES. This is mainly for older clients that do not support AES. For example, Microsoft Internet Explorer 6, 7, and 8 on Windows XP.