This chapter describes the features and improvements in Oracle HTTP Server. The following topics introduce the new and changed features of Oracle HTTP Server and other significant changes in the guides, and provides pointers to additional information.
Topics
This section describes the new features added to Oracle HTTP Server.
The current release of Oracle HTTP Server and Oracle Web Cache adds support for the TLSv1.1 and TSLv1.2 security protocols and the following ciphers. For the complete list of security protocols and ciphers supported by the current release of Oracle HTTP Server, see SSLProtocol and SSLCipherSuite in Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
This section describes changes to ciphers and security protocols.
If you are upgrading from an Oracle HTTP Server 10g or 11.1.1.x release to 11.1.1.9, Oracle recommends that you review the ciphers used in your configuration. Oracle HTTP Server has removed support for certain weak ciphers in this release. If these weak ciphers are used in your SSL configuration, then the server might fail to start or the request from clients that use these ciphers will be denied. To correct this, update the SSLCipherSuite directive with the correct ciphers. For more information on the supported ciphers in 11.1.1.9 release, see SSLCipherSuite in Administrator's Guide for Oracle HTTP Server.
The following example illustrates a SSLCipherSuite
configuration using all of the valid ciphers for the 11.1.1.9 release (Note that the ciphers should be entered as a comma-delimited list: no spaces between the comma and the cipher name and no line breaks. Line breaks have been added to the following example only for readability):
SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Because of security concerns, the SSLv3 security protocol is disabled out-of-the-box in the Oracle HTTP Server 11.1.1.9 release.
If you are upgrading from an earlier release of Oracle HTTP Server, the SSLv3 and/or SSLv2 security protocol might be a part of your configuration. Oracle strongly recommends that you disable any SSLv3 or SSLv2 from Oracle HTTP Server. For more information, see Disable SSLv2 and SSLv3 Security Protocols in Administrator's Guide for Oracle HTTP Server.
The SSLv3 security protocol is not supported by default. thus it does not appear in the SSL configuration screen in Fusion Middleware Control.
Remove the cipher SSL_RSA_WITH_DES_CBC_SHA
if it appears in your configuration. This cipher is not supported in the 11.1.1.9 release.
See also FMW Infrastructure Does Not Support Certain Protocols and Ciphers.