One of our project environments is on WebLogic 10.3.5. Server Identity key was created with 2048 bits. JSSE is already enabled. Our environment was running JRockit 6 update 31.
Recently , we started getting SSL errors while accessing secure content in the environment. While accessing via Chrome , we got the following error
Server has a weak ephemeral Diffie-Hellman public key. ERR_SSL_WEAK_SERVER_
Cause
Latest browsers comes up with above error if the server allows/accepts DHE_EXPORT ciphers.Weblogic 10.3.5 running on JDK/Jrockit 6 allows DHE_EXPORT ciphers.
Solution
Available ciphers are controlled by JDK and Oracle has released a critical patch to remove the DHE_EXPORT Ciphers. For JDK 6 , it is available as part of JDK 1.6.0_101 update. Equivalent JRockit version can be found at JRockit Equivalent for JDK 6 Updates
Configuring our weblogic environment with JRockit R28.3.7 resolved the issue.
As a long term measure, we would be moving to Weblogic 10.3.6 and JDK 7.
Reference
- WLS and EM 12c: Accessing EM and Weblogic Console URL in Browser Gives Error “ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY” (Doc ID 2054204.1)
- Transport Layer Security(TLS) Supportability For WebLogic Server (Doc ID 1492141.1)
- All Java SE Downloads on MOS (Doc ID 1439822.1)
- JRockit Equivalent for JDK 6 Updates