This chapter describes the issues associated with Oracle HTTP Server.
Issue
Impacted Platforms: Generic
The default wallet shipped with Oracle HTTP Server 11.1.1.9 is for demonstration purposes only and not for production use, so that users can access the site by using the HTTPS end point (default port 4443).
The default wallet uses MD5-based hashing which is no longer considered very secure. Users should create a new wallet with the orapki utility and use more secure hashing algorithms such as SHA256.
Workaround
The default wallet uses MD5-based hashing which is no longer considered very secure. Users should create a new wallet with the orapki utility and use more secure hashing algorithms such as SHA256.
For example, create a wallet with auto_login_only enabled:
orapki wallet create -wallet wallet_location -auto_login_only
Add a self-signed root certificate to the wallet. The keysize option specifies the requested certificate's key size and the sign_alg option specifies the hashing algorithm.
orapki wallet add -wallet wallet_location -dn certificate_dn -keysize 2048 -sign_alg sha256 -self_signed -validity 365 -auto_login_only
For information on the sign_alg option of orapki, see Secure an API Gateway Domain in Oracle Fusion Middleware Part 2. Manage an API Gateway Domain. For information on creating a wallet and adding a user certificate, see orapki in Administering Oracle Fusion Middleware.
Issue
Impacted Platforms: Microsoft Windows
If you use this demonstration certificate with the TLS v1.2 protocol and attempt to access the Oracle HTTP Server HTTPS end point, then recent browsers such as Internet Explorer 11 will not be able to successfully connect with the end point. This is because the demonstration certificate is created using MD5-based hashing which is no longer considered very secure.
Workaround
However, if you want to test the TLS v1.2 protocol using the Internet Explorer browser, then create a new wallet and add a user certificate that uses one of the stronger hashing algorithms, such as SHA256. For an example of the orapki commands, see Notes on Using the Default Wallet.
Note:
Oracle HTTP Server 11.1.1.9 ships with a default self-signed certificate. This certificate is for demonstration purposes only and should not be used for development or production use cases.
Issue
Impacted Platforms: IBM AIX
If you are using Fusion Middleware Control or WLST commands to configure Oracle HTTP Server on IBM AIX, then the operations can fail. You will see SSL handshake errors in the Oracle HTTP Server log file when the JDK used by Oracle WebLogic Server is enabled only for the SSLv3 protocol. To avoid these errors, you must change the default value of the SSLProtocol directive in the admin.conf file ($INSTANCE_HOME/config/OHS/<component_name>/admin.conf).
Workaround
The default value for the SSLProtocol directive in the admin.conf file is All. This value includes the TLS protocols. To discard the TLS protocols from the configuration and enable the SSLv3 protocol, follow these steps:
Issue
Impacted Platforms: Generic
If you are using Fusion Middleware Control or WLST commands to configure SSL for Oracle HTTP Server, you cannot configure the TLSv1.1 and TLSv1.2 protocols for the SSLProtocol directive or the following ciphers listed in the Workaround for the SSLCipherSuite directive.
Workaround
To enable or disable these protocols and ciphers, you must manually edit the <file-location>/config/ssl.conf file. For more information, see Configuring TLS v1.1 and TLS v1.2 Protocols and Ciphers in Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.
Note:
The TLSv1.1 and TLSv1.2 protocols and the following ciphers are enabled by default.
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
If SSL is enabled for Oracle HTTP Server Virtual Hosts or the SSL configuration has been modified from the SSL Configuration page of Fusion Middleware Control configuration screen or WLST commands, the configuration of the above listed protocols and ciphers in ssl.conf file will be lost.To make any changes related to the SSL configuration for these protocols and ciphers, edit ssl.conf file directly by using the Advanced Configuration page in Fusion Middleware Control.
Issue
Impacted Platforms: Generic
If you are using Fusion Middleware Control or WLST to configure SSL for Oracle HTTP Server, then choosing any one or both of these two ciphers: TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_256_CBC_SHA will result in unexpected behavior from Oracle HTTP Server.
This is because Oracle HTTP Server fails to recognize these cipher names as valid. The valid cipher names are SSL_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_AES_256_CBC_SHA respectively.
Workaround
To correct this problem, edit the ssl.conf file directly by using the Advanced Configuration page in Fusion Middleware Control and specify the correct cipher names.
Issue
Impacted Platforms: All
A user patching from Web Tier/Oracle HTTP Server 11.1.1.x to 11.1.1.9 may run into a negotiation issue between mod_wl_ohs and WebLogic Server.
Workaround
Enable JSSE.
Force the plug-in to a supported protocol between Oracle HTTP Server and WebLogic Server (for example, TLSv1) using the WebLogicSSLVersion parameter. See Configuring SSL with WebLogic Proxy Plug-In and Oracle WebLogic Server and SSL Parameters for Web Server Plug-Ins in Using Web Server Plug-Ins with Oracle WebLogic Server.