Weblogic SSL Hostname Verifier

Issue:

javax.net.ssl.SSLKeyException: Hostname verification failed: HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier, hostname=myserver.mydomain.com.
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doPostHandshake(JaSSLEngine.java:677)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:748)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:611)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:515)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:98)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:77)
at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:240)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:574)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:545)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:230)

Diagnosis:

Due to wildcard in the host certificate.

Resolution:

The default hostname verifier in weblogic does not support wildcard certificate, and need to use the wildcard verifier as below:

  1. Go to the WebLogic admin console -> Environment -> Servers -> your server -> Configuration -> SSL
  2. Click “Lock & Edit”
  3. Open the “Advanced” flap
  4. Change “Hostname Verification” from “BEA Hostname Verifier” to “Custom Hostname Verifier”
  5. Set “Custom Hostname Verifier” to security.utils.SSLWLSWildcardHostnameVerifier
  6. Click “Save” and then “Activate Changes”
  7. Restart your server.

 

References:

http://serverfault.com/questions/503751/certificate-verification-error-when-sending-a-service-request-from-weblogic

http://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#SECMG571

 

Set up Apache Httpd 2.2 to cache static contents from Weblogic / Tomcat / Jboss backend

Configuration:

Add below to conf.d/backend.conf

<IfModule mod_cache.c>
<IfModule mod_disk_cache.c>
CacheRoot “/var/cache/mod_proxy/”
CacheEnable disk “/”
CacheDirLevels 2
CacheDirLength 1

CacheLock on
CacheLockPath “/tmp/mod_cache-lock”
CacheLockMaxAge 5
</IfModule>

# These only valid for Apache httpd 2.4
#CacheQuickHandler off
#CacheHeader on
#CustomLog “logs/cached-requests.log” common env=cache-hit
#CustomLog “logs/uncached-requests.log” common env=cache-miss
#CustomLog “logs/revalidated-requests.log” common env=cache-revalidate
#CustomLog “logs/invalidated-requests.log” common env=cache-invalidate

</IfModule>

 

How to check:

1) Check access logs for Apache as well as the backend

2) Confirm that there are files in CacheRoot

#ls -R /var/cache/mod_proxy

 

References:

https://httpd.apache.org/docs/2.2/caching.html

https://httpd.apache.org/docs/current/mod/mod_cache.html

 

Systemctl for Weblogic in RHEL7

If you have existing start/stop scripts that can start/stop all admin and managed servers in one shot, below would be the configuration for systemctl:

1) Prepare file /etc/systemd/system/wls_myservice.service

[Unit]
Description=Weblogic Startup
After=network.target

[Service]
Type=forking
User=weblogic
Group=weblogic
TimeoutSec=300
ExecStart=/appl/myservice/bin/start.sh
ExecStop=/appl/myservice/bin/stop.sh
Restart=no

[Install]
WantedBy=multi-user.target

 

2) Enable the service from systemctl
systemctl enable wls_myservice
systemctl daemon-reload

 

3) Test
systemctl start wls_myservice
systemctl status wls_myservice -l

systemctl stop wls_myservice
systemctl status wls_myservice -l

Simple SSL Perfomance Comparison

Command used to test:

# openssl s_time -connect localhost:$PORT -new

Tomcat APR/Native:
2011 connections in 10.67s; 188.47 connections/user sec, bytes read 0
2011 connections in 31 real seconds, 0 bytes read per connection

JBoss Java connector:
460 connections in 11.01s; 41.78 connections/user sec, bytes read 0
460 connections in 31 real seconds, 0 bytes read per connection

Apache:
2753 connections in 14.43s; 190.78 connections/user sec, bytes read 0
2753 connections in 31 real seconds, 0 bytes read per connection

Weblogic:
797 connections in 3.81s; 209.19 connections/user sec, bytes read 0
797 connections in 31 real seconds, 0 bytes read per connection

Conclusion:

  1. Using APR/Native is better for performance.
  2. Weblogic is quite OK, performance better than JBoss, considering that it is using JDK 6 (will try with JDK 7 & 8 later).

Updates (26 Oct 2016)

Weblogic + JDK 7
1103 connections in 2.86s; 385.66 connections/user sec, bytes read 0
1103 connections in 31 real seconds, 0 bytes read per connection

Weblogic + JDK 8
889 connections in 4.27s; 208.20 connections/user sec, bytes read 0
889 connections in 31 real seconds, 0 bytes read per connection

Testing Weblogic 11g SSL/TLS using testssl.sh

The WLS environment configuration:

WLS 10.3.6 + JDK 6 update 121

HTTPS listening on port 8002

Added to setDomainEnv.sh:

JAVA_OPTIONS=”${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=ALL -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2″

Added to config.xml:
true
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA

false
false
8002 false
localhost

true

Output from testssl.sh:

[root@localhost tmp]# ./testssl.sh localhost:8002

No engine or GOST support via engine with your /usr/bin/openssl

###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(1.396a 2016/09/29 23:12:09)

This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using “OpenSSL 1.0.1e-fips 11 Feb 2013” [~121 ciphers] on
localhost.dummy.com:/usr/bin/openssl
(built: “May 2 06:13:20 EDT 2016”, platform: “linux-x86_64”)
Testing now (2016-10-19 15:48) —> 127.0.0.1:8002 (localhost) Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered

–> Testing ~standard cipher lists

Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption Local problem: No 56 Bit encryption configured in /usr/bin/openssl
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK) DES Ciphers not offered (OK) Medium grade encryption not offered (OK) Triple DES Ciphers not offered (OK) High grade encryption offered (OK) –> Testing (perfect) forward secrecy, (P)FS — omitting 3DES, RC4 and Null Encryption here

PFS is offered (OK) DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA

–> Testing server preferences

Has server cipher order? nope (NOT ok)
Negotiated protocol TLSv1.2
Negotiated cipher DHE-RSA-AES128-SHA256, 1024 bit DH (limited sense as client will pick)
Negotiated cipher per proto (limited sense as client will pick)
DHE-RSA-AES128-SHA256: TLSv1.2
No further cipher order check has been done as order is determined by the client

–> Testing server defaults (Server Hello)

TLS server extensions renegotiation info
Session Tickets RFC 5077 (none)
Server key size 2048 bit
Signature Algorithm SHA256 with RSA
Fingerprint / Serial SHA1 46769492622E914CC82C5DBA56F11036A1309550 / 5805C3D5
SHA256 ABDA2FC2D38A93410A8B7FB31E8761743323075363D09CAC716CB69A975C0196
Common Name (CN) localhost.dummy.com (CN in response to request w/o SNI: localhost.dummy.com)
subjectAltName (SAN) —
Issuer localhost.dummy.com (Unknown from MY)
EV cert (experimental) no
Certificate Expiration >= 60 days (2016-10-18 14:40 –> 2026-10-16 14:40 +0800)
# of certificates provided 1
Chain of trust (experim.) Your /usr/bin/openssl is too old, needed is version >=1.0.2
Certificate Revocation List —
OCSP URI —
OCSP stapling not offered
TLS clock skew 0 sec from localtime
–> Testing HTTP header response @ “/”

HTTP Status Code 404 Not Found (Hint: supply a path which doesn’t give a “404 Not Found”)
HTTP clock skew 0 sec from localtime
Strict Transport Security —
Public Key Pinning —
Server banner (no “Server” line in header, interesting!)
Application banner X-Powered-By: Servlet/2.5 JSP/2.1
Cookie(s) (none issued at “/”)
Security headers —
Reverse Proxy banner —
–> Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out)
CCS (CVE-2014-0224) not vulnerable (OK) (timed out)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) (only supplied “/” tested)
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim. Check failed: seems like TLS 1.2 is the only protocol
FREAK (CVE-2015-0204) not vulnerable (OK) (tested with 4/9 ciphers)
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK) (tested w/ 2/4 ciphers only!), common primes not checked. See below for any DH ciphers + bit size
BEAST (CVE-2011-3389) no SSL3 or TLS1
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
–> Testing all locally available 121 ciphers against the server, ordered by encryption strength

Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
———————————————————————————————————————–
x67 DHE-RSA-AES128-SHA256 DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
x33 DHE-RSA-AES128-SHA DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
Done now (2016-10-19 15:49) —> 127.0.0.1:8002 (localhost) <—

Summary: 

With above configuration, all OK except “Server cipher order” and “Secure Client-Initiated Renegotiation”. Tried with these flags but still client renegotiation NOT OK.

-Dsun.security.ssl.allowUnsafeRenegotiation=false -Dsun.security.ssl.allowLegacyHelloMessages=false

References:

https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)

https://testssl.sh/

http://stackoverflow.com/questions/29172833/weblogic-12c-is-there-any-flag-to-ensure-the-cipher-order-on-ssl-configuration (This seems to indicate that even WLS 12c does not has any configuration to enable cipher order)

http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html