1.5.2 Choice of the SSL cipher suite

This topic describes about choice of the SSL cipher suite.

Oracle WebLogic Server allows SSL clients to initiate SSL connection with a null cipher suite. The null cipher suite does not employ use any bulk encryption algorithm, as a result of which all data is transmitted over the wire.

The default configuration of Oracle WebLogic Server is to disable the null cipher suite. Make sure that the usage of the null cipher suite is disabled, preventing any client from negotiating an insecure SSL connection.

Furthermore, for installations having regulatory requirements requiring the use of only ‘high’ cipher suites, Oracle WebLogic Server can be configured to support only certain cipher suites. The restriction can be done in config.xml of the WebLogic domain.

Below is an example for config.xml that restricts the cipher suites to those supporting 128-bit symmetric keys or higher. It uses RSA for key exchange.

....
<ssl>       
       <enabled>true</enabled>      
        <ciphersuite>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</ciphersuite>
</ssl>
....

• The configuration of the WebLogic Server to support the above cipher suites requires passing an additional command line argument to the WebLogic Server so that the FIPS 140-2 compliant crypto module is utilized. This is done by adding -Dweblogic.security.SSL.nojce=true as a JVM argument.
• The restriction on cipher suites must be done for every managed server.
• The order of cipher suites is important. The Oracle WebLogic Server selects the first cipher suite in the list, which is also has client support.
• Cipher suites with RC4 are enabled despite it being second best to AES. This is mainly for older clients that do not support AES. For example, Microsoft Internet Explorer 6, 7, and 8 on Windows XP.