Solved

How do disable only TLSv1.0 in Oracle Sun One 7.1 Server

Posted on 2016-11-02
9
161 Views
Last Modified: 2016-11-20
My apps colleague could only find the option to disable TLS completely but no option
was found to disable just TLS 1.0   in Oracle Sun One 7.1

We used https://www.ssllabs.com/ssltest   to test our external public site.

Our F5 LB guys says their LB/LTM device which does not pose this TLS 1.0 issue
as the same LB also hosts other sites.

We issued  in the Solaris 10 server  "netstat -anv | grep 443"  & found the processes
webserverd  (no httpd) listening on Tcp443 & my apps team says this is Sun One
& there's no other web server there.

Q1:
is there a patch or a setting for Sun One to disable just TLS 1.0?  The fact
that SSL 2 & 3 are set to No, it must have been set somewhere, right?
What did we miss?  

Below is the results from the SSLLabs scan:
TLS 1.2      Yes
TLS 1.1      Yes
TLS 1.0      Yes  <== need to disable this
SSL 3       No
SSL 2       No

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK       256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK       128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK       256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK       256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK       128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK       128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK       112



Q2:
After going to TLSv1.2, will some of the above weak ciphers go away too?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 125 total points
ID: 41871555
you have to configure it.. I don't run oracle but here is the setup pages
https://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#i1023429
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41871565
Website, OpenSSL based
!tlsv1
Check within your SSL config dealing with ciphers, protocol

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

Are you using Apache httpd/tomcat?
0
 

Author Comment

by:sunhux
ID: 41872120
> Are you using Apache httpd/tomcat?
No, it's Sun One
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:sunhux
ID: 41872134
The link David gave doesn't look similar to Sun One
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 125 total points
ID: 41872192
A1: can you show online reference on WHY you should have SSL between proxy and backend inside your premises? In addition to backend you need to disable TLS1.0 in F5 client.

A2: No. Ciphers and SSL versions are independent.
0
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 41872272
Sun one is presumably the product, the components are?
How did you disable sslv2, sslv3
Using the same method, tlsv1 would disable 1.0 while explicitly enabling tlsv1.1 and tlsv1.2 and tlsv1.3 might achieve what you want.

Check the secure config ciphers, protocol settings, options.
0
 

Author Comment

by:sunhux
ID: 41875306
> How did you disable sslv2, sslv3
Excellent tip, I'm going to  "grep -i ssl *"  to see where it is.
0
 

Author Comment

by:sunhux
ID: 41876020
https://docs.oracle.com/cd/E19412-01/819-0425-11/3_SunONE.html

Above is the closest link I can find on Sun 1
0
 
LVL 62

Expert Comment

by:gheist
ID: 41876032
Latest Sun One application server was 6.5 and that is EOL 2009.

What server you are using for SSL really?
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
The viewer will learn how to count occurrences of each item in an array.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question