我正在使用 weblogic 10.3.6 并配置了一个管理员和 4 个托管服务器。在监听 SSL 端口 7299 的其中一台托管服务器上,一种使用 key 大小为 2048 的证书启用 SSL 的方法。 当我尝试使用 Internet Explorer 9 访问部署在启用 SSL 的托管服务器上的应用程序时,我能够在 SSL 端口上打开应用程序的主页,但是只要我按下应用程序 GUI 上的任何按钮,它就会将我注销。
If I access same application on SSL port using Firefox 38.3.0, It shows the following error on browser
Server has a weak ephemeral Diffie-Hellman public key" or ERR_SSL_WEAK_EPHEMERAL_DH_KEY
If you see this error, it means that a secure connection can't be established because of outdated security code on the website. Chrome protects your privacy by preventing you from connecting to these sites. You won't be able to visit this page using Chrome.
If you're a website administrator, we recommend you update your server to support ECDHE and disable DHE. If ECDHE is unavailable, you can instead disable all DHE cipher suites and rely on plain RSA.
Later I got some options that weakens the mozilla firefox security as below.
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
But after setting these variables false in firefox, my applications navigations are fine and works well.
I would add that when the https logs were captured using fiddler, I got to know the below
Client side ciphers available
Ciphers:
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C007] TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[C011] TLS_ECDHE_RSA_WITH_RC4_128_SHA
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[0005] SSL_RSA_WITH_RC4_128_SHA
[0004] SSL_RSA_WITH_RC4_128_MD5
and the below are the server side ciphers
server side ciphers available
<DynamicJSSEListenThread[DefaultSecure] 28 cipher suites enabled:>
SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_MD5>
SSL_RSA_WITH_RC4_128_SHA>
TLS_RSA_WITH_RC4_128_SHA>
TLS_RSA_WITH_AES_128_CBC_SHA>
TLS_DHE_RSA_WITH_AES_128_CBC_SHA>
TLS_DHE_DSS_WITH_AES_128_CBC_SHA>
SSL_RSA_WITH_3DES_EDE_CBC_SHA>
TLS_RSA_WITH_3DES_EDE_CBC_SHA>
<SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA>
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA>
SSL_RSA_WITH_DES_CBC_SHA>
TLS_RSA_WITH_DES_CBC_SHA>
SSL_DHE_RSA_WITH_DES_CBC_SHA>
TLS_DHE_RSA_WITH_DES_CBC_SHA>
SSL_DHE_DSS_WITH_DES_CBC_SHA>
TLS_DHE_DSS_WITH_DES_CBC_SHA>
SSL_RSA_EXPORT_WITH_RC4_40_MD5>
TLS_RSA_EXPORT_WITH_RC4_40_MD5>
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA>
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA>
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA>
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA>
TLS_EMPTY_RENEGOTIATION_INFO_SCSV>
There was one solution available on google, to replace the localPolicy.jar and US_export_Policy.jar in JDK with the unlimited encryption version. Although I tried the same, but still the same error persist.
Could you please suggest any fix on weblogic10.3.6 server for the same issue or any setting in IE 9.
I got the following solutions in the above post.
•Deploy ECDHE Cipher Suites
•Disable Export Cipher Suites
I am not sure how to do this in weblogic, can you please suggest.
Early response is highly appreciated.
最佳答案
如果您有 MOS,请查看此文档...文档 ID 1936300.1
您必须至少使用这些最低 Java 版本之一或更高版本...
如果使用 jRockit,请将您的 jRockit 版本更新到最低 1.6.0_101 如果使用 Oracle Java 6,请将 Java 6 更新到最低 1.6.0_101 如果使用 Oracle Java 7,请将 Java 7 更新到最低 1.7.0_85
您必须至少使用此最低 Weblogic 服务器版本...
WLS 10.3.6.0.12
Weblogic 必须利用 jsse ssl 实现来使用最新的 tsl 版本并禁用旧的 ssl 版本(sslv2 和 sslv3 版本)
一旦这两个都已更新(如果需要),您需要配置 JAVA_OPTIONS 环境变量。这将禁用旧的 ssl 版本并且只允许 TLS1 和更高版本...
导出 JAVA_OPTIONS=-Dweblogic.security.SSL.protocolVersion=TLS1
这将解决更新后的 firefox 和 chrome 浏览器在您导航到该站点时显示错误“服务器具有较弱的临时 Diffie-Hellman 公钥”的问题。我对 IE 没有任何问题,但我们已经升级到比 IE9 更高的 IE 版本。这将通过 poodle/diffie-hellman 漏洞检查。我仍在尝试弄清楚如何使用 weblogic 实现更强大的 2048 位而不是 1028 位 diffie-hellman 组,但上面的修复至少会消除错误并允许访问该站点。
关于internet-explorer - weblogic 的短暂 Diffie-Hellman 公钥错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32960484/