Apache Httpd and Weblogic configured for SSL

Question

I have an Apache Httpd running as my RPS in front of some Weblogic and Coherence servers. I have the rps configured for ssl, and to deny SSLv3 and SSLv2 requests. So when I got to the specific url (Virtual IP) that houses the multiple servers I am fine.

I have a vulnerability scanner that says the server IP (different from site url) lets in SSLv3, and SSLv2 requests in. But when scanning the VIP for the site it says I am fine because Apache is configured.

My thoughts on this are to set up both Apache and Weblogic for SSL. Would this be a good idea? or am I being more paranoid than I should be?

Suggestions?

score 1 · Answer 1 · edited Apr 13 '17 at 12:14

1

You can have weblogic use just TLS and termincate SSLv3/2 connections. Check this post "Weblogic Mitigate POODLE vulnerability after upgrade and still use CBC ciphers".

He suggests upgrading java to 7u75 or using -Dweblogic.security.SSL.protocolVersion= Check this page for SSL weblogic, you will find it helpful

http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG499

edited Apr 13 '17 at 12:14

Community

1

answered May 06 '15 at 17:00

Hououin Kyouma

146

Apache Httpd and Weblogic configured for SSL

1 Answers1