By default, when Oracle HTTP Server (OHS) 11g uses HTTPS for secure connections such as for Forms and Reports, SSL (Secure Socket Layer) v3.0 and TLS (Transport Layer Security) v1.0 are configured. SSL is the original protocol used for secure connections via HTTPS where TLS is the newer, more secure protocol. In recent months, a security vulnerability known as Poodle, “Paddling Oracle On Downgraded Legacy Encryption”, was discovered to be. In summary, Poodle is a “man-in-the-middle” exploit which can allow hackers to view encrypted information. More information on Poodle can be found on Oracle’s website: http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
The vulnerability exists with SSL v3.0, which is commonly used as the secure protocol used for HTTPS connections with using OHS. However, the TLS protocol does not contain this vulnerability. If OHS is configured for both (it is by default) and the end-user’s Web browser has SSL v3.0 and TLS v1.0 both enabled, there is a possibility that the OHS connection via HTTPS may be done using SSL v3.0 instead of TLS v1.0.
The best approach is to configure OHS to only use TLS v1.0. With this, all end-users will be forced to use TLS 1.0 on all HTTPS connections to that OHS environment whether it is used for running deployed Web applications, Oracle Forms and Reports applications (whether using the embedded OHS server which comes with Oracle Forms and Reports or using a WebGate for organizations using OAM for SSO), Oracle Discoverer, or other Oracle Fusion Middleware applications. The changes are quick and easy to deploy requiring minimal downtime (only minutes). Also, no new SSL/TLS certificates will need to be created. Implementing TLS v1.0 only for OHS 11g can be done with these steps:
1. Go to %ORACLE_INSTANCE%\config\OHS\ohs1 ($ORACLE_INSTANCE/config/OHS/ohs1 in Unix environments)
2. Make a backup of ssl.conf
3. Open up ssl.conf in a text editor
4. Locate the SSLProtocol parameter. Notice that it reads: SSLProtocol nzos_Version_1_0 nzos_Version_3_0
5. Comment out this line and add the following entry in the next line below:
SSLProtocol nzos_Version_1_0
NOTE: This is the parameter to specify only TLS v1.0
6. Save and close the file
7. Restart OHS using either OPMN or Enterprise Manager
Examples:
Windows: %ORACLE_INSTANCE%\bin\opmnctl restartproc ias-component=ohs1
Unix: $ORACLE_INSTANCE/bin/opmnctl restartproc ias-component=ohs1
Now that the OHS server is configured for TLS v1.0, all end users will need to make sure that TLS 1.0 is enabled in their Web browsers:
Internet Explorer:
NOTE: It is likely that TLS 1.0 is enabled in Internet Explorer, but it is recommended to check anyway.
Go to Tools –> Internet Options (or simply Internet Options from the menu in the top-right corner)
In the Advanced tab, scroll down to the Security section. Make sure “Use TLS 1.0” is enabled.
Mozilla Firefox and Google Chrome:
All current releases of Firefox and Chrome have at least TLS 1.0 already enabled.
After applying the steps above, you should be using TLS when running anything on the OHS server (Web pages, Forms, etc.) using the HTTPS protocol.
NOTE: OHS 11g (e.g. 11.1.1.7.0) is currently only supported to use TLS 1.0. Only OHS 12c (12.1.x) can use TLS 1.1 or higher which is currently not usable for Oracle Forms and Reports 11gR2.
Source: Oracle Support note 1936300.1
The post Switching from SSL to TLS for Oracle HTTP Server 11g appeared first on PITSS Americas.
