Solved

How do disable only TLSv1.0 in Oracle Sun One 7.1 Server

Posted on 2016-11-02
9
35 Views
Last Modified: 2016-11-20
My apps colleague could only find the option to disable TLS completely but no option
was found to disable just TLS 1.0   in Oracle Sun One 7.1

We used https://www.ssllabs.com/ssltest   to test our external public site.

Our F5 LB guys says their LB/LTM device which does not pose this TLS 1.0 issue
as the same LB also hosts other sites.

We issued  in the Solaris 10 server  "netstat -anv | grep 443"  & found the processes
webserverd  (no httpd) listening on Tcp443 & my apps team says this is Sun One
& there's no other web server there.

Q1:
is there a patch or a setting for Sun One to disable just TLS 1.0?  The fact
that SSL 2 & 3 are set to No, it must have been set somewhere, right?
What did we miss?  

Below is the results from the SSLLabs scan:
TLS 1.2      Yes
TLS 1.1      Yes
TLS 1.0      Yes  <== need to disable this
SSL 3       No
SSL 2       No

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK       256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK       128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK       256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK       256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK       128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK       128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK       112



Q2:
After going to TLSv1.2, will some of the above weak ciphers go away too?
0
Comment
Question by:sunhux
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 125 total points
ID: 41871555
you have to configure it.. I don't run oracle but here is the setup pages
https://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#i1023429
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41871565
Website, OpenSSL based
!tlsv1
Check within your SSL config dealing with ciphers, protocol

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

Are you using Apache httpd/tomcat?
0
 

Author Comment

by:sunhux
ID: 41872120
> Are you using Apache httpd/tomcat?
No, it's Sun One
0
 

Author Comment

by:sunhux
ID: 41872134
The link David gave doesn't look similar to Sun One
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 61

Assisted Solution

by:gheist
gheist earned 125 total points
ID: 41872192
A1: can you show online reference on WHY you should have SSL between proxy and backend inside your premises? In addition to backend you need to disable TLS1.0 in F5 client.

A2: No. Ciphers and SSL versions are independent.
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 41872272
Sun one is presumably the product, the components are?
How did you disable sslv2, sslv3
Using the same method, tlsv1 would disable 1.0 while explicitly enabling tlsv1.1 and tlsv1.2 and tlsv1.3 might achieve what you want.

Check the secure config ciphers, protocol settings, options.
0
 

Author Comment

by:sunhux
ID: 41875306
> How did you disable sslv2, sslv3
Excellent tip, I'm going to  "grep -i ssl *"  to see where it is.
0
 

Author Comment

by:sunhux
ID: 41876020
https://docs.oracle.com/cd/E19412-01/819-0425-11/3_SunONE.html

Above is the closest link I can find on Sun 1
0
 
LVL 61

Expert Comment

by:gheist
ID: 41876032
Latest Sun One application server was 6.5 and that is EOL 2009.

What server you are using for SSL really?
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Read about achieving the basic levels of HRIS security in the workplace.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now