Modifiying Weblogic Server to use TLS

问题

I have a VM running a Weblogic Server (running version 10.3.6) with 2 nodes. I also have a Tomcat server running on my host machine which runs an SSL web service, that the Weblogic Server has to connect to. I added the two startup parameters to the "Arguments" text area under startup:

-Dweblogic.security.SSL.protocolVersion=TLSv1.1 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

I added these since the nodes were trying to connect using SSLv2 before, and causing a handshake error with Tomcat.

After adding these parameters, I still see the nodes trying to connect to Tomcat using SSLv2. I'm trying to get it to use TLS. What else can I do to get it to use TLS?

回答1:

You're probably not using SSLv2, but an SSLv3 or TLS1.x ClientHello wrapped into an SSLv2 ClientHello. See "Why does Java's SSLSocket send a version 2 client hello?" or "How to initiate ssl connection using SSLv2".

Note that the latest JSSE Reference Guide (JDK 8) says:

Note: As part of disabling SSLv3, some servers have also disabled SSLv2Hello, which means communications with SSLv2Hello-active clients (e.g. JDK 1.5/6) will fail. Starting with JDK 7, SSLv2Hello default to disabled on clients, enabled on servers.

The Java 7 release notes also say:

SSLv2Hello disabled by default on the client: In Java SE 7, SSLv2Hello is removed from the default enabled protocol list on the client.

It's possible that you're using an older JRE or that for whatever reason, SSLv2Hello was explicitly enabled on your clients.

回答2:

The protocolVersion value should be TLS1 instead of TLSv1.1.

https://docs.oracle.com/middleware/1213/wls/SECMG/ssl_version.htm#SECMG636

回答3:

Setting -Dweblogic.security.SSL.minimumProtocolVersion=TLSv0 as java option, will set the minimum protocol to SSLV3 and will eliminate the use of SSLV2. This worked for me.

TLSv0 is invalid, and WebLogic 12.1.3 will set SSLV3 as minimum.