Story

Configuring SSL Cipher Suites on Weblogic Server

Cipher suites play an integral part in establishing secure communications between a client and server using the SSL/TLS protocol. Cipher suites determine the ciphers to be used, the key exchange algorithms as well as message authentication codes.

The SSL protocol uses a combination of public-key and symmetric key encryption. Symmetric key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques.

DETAILS

Introduction

An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows.

The client presents a list of cipher suites it supports but the server makes the final decision as to which cipher suite will be used. The server is limited to choosing from the presented list of cipher suites.

Cipher Suite Composition

A Cipher Suite is composed of the following:

Encryption

Block Cipher

RC2

DES

Triple-DES

Stream Cipher

RC4

Hash Function

SHA or SHA1

MD5

Cipher Spec examples

NULL_MD5

NULL_SHA

RC4_MD5_EXPORT

RC2_MD5_EXPORT

DES_MD5_EXPORT

DES_SHA_EXPORT

TRIPLE_DES_MD5_EXPORT

Encryption + Hash Function ===> Cipher Spec

Cipher Spec + Authentication/Key Exchange ===> Cipher Suite

As stated above, the Cipher Suite is a combination of the following four attributes:

Key Exchange Algorithm:

RSA or Diffie-Hellman variants.

Authentication Algorithm:

RSA, Diffie-Hellman, DSS or none.

Cipher/Encryption Algorithm:

DES, Triple-DES, RC4, RC2, IDEA or none.

MAC Digest (Hash) Algorithm:

MD5, SHA or SHA1.

Definition

 

We can now define Cipher Suite as: A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network protocol.

 

Cipher Suite Strength

 

Cipher suites are available that provide a variety of different encryption "strengths." The strongest cipher suites for example provide Advanced Encryption Standard (AES) which supports 128- or 256-bit encryption, or Triple DES (3DES) which provides 168-bit encryption. On the other hand the weakest, for example, provide no encryption and weaker message authentication.

 

How to enable 256 bit encryption (Strongest Cipher Suite) in WebLogic Server

 

WebLogic Server 12.1 supports various Cipher Suites supported by the JDK-default JSSE provider. For backward compatibility, the JSSE-based SSL implementation accepts Certicom cipher suite names for cipher suites that are compatible with SunJSSE provider. However Oracle does not encourage future use of Certicom cipher suite names.

 

The set of cipher suites supported by the JDK-default JSSE provider, SunJSSE, is available at http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html.

 

With JSSE, the cipher suites selected by default are stronger as compared to Certicom SSL and have slower performance. Also by default the anonymous and strongest Cipher Suites are disabled.

 

If we want to use the strongest Cipher suites (256 bit encryption) like AES_256 (TLS_RSA_WITH_AES_256_CBC_SHA), we have to install the unlimited encryption JCE policy. It is dependent on the JDK version.

Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK: http://www.oracle.com/technetwork/java/javase/downloads/index.html.

 

In order to enable the specific Cipher Suite to use we need to configure the <ciphersuite> element in the <ssl> element in the DOMAIN_HOME/config/config.xml file, as follows:

 

<ssl>

  <name>examplesServer</name>

  <enabled>true</enabled>

  <listen-port>7002</listen-port>

  <ciphersuite> TLS_RSA_WITH_AES_256_CBC_SHA </ciphersuite>

  ...

</ssl>