Clever Geek Handbook

Impact / risk of enabling -DuseSunHttpHandler on Weblogic10.3.0

I am developing an application that makes a request to a third party service through a proxy.

My application is running on Weblogic10.3.0 and I am facing a BAD_CERTIFICATE exception as follows.

 javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)

There are many tips on the internet saying that adding -DuseSunHttpHandler = true will fix the problem as the third party has renewed their certificates (128 bits to 256 bits). The solution works great, however the problem is that I cannot find an official article that clearly states that Certicom only supports up to 128 bits and in order to solve it we need to enable JSSE, which I think SunHttpHandler is using.

Another issue here: "Is the impact of using SunHttpHandler known?" I understand that as of 10.3.3 or 10.3.5 Certicom will be deprecated and use JSSE by default, but updating weblogic is not an option at the moment.

+3


source to share


1 answer


Microsoft and Google have announced plans to phase out SHA-1, which could affect sites with SHA-1 certificates that will expire after December 31, 2015.

Certificates can be generated using different "hash algorithms" including

1) SHA1: 160-bit hash

2) SHA2: a family of two similar hash functions with different block sizes known as SHA-256 and SHA-512 (this is a newer algorithm)

Until recently, only SHA1 was supported in WebLogic. But since WebLogic 10.3.3, SHA2 is also supported.



If you want to use a certificate with SHA2 hash, you will need to enable JSSE SSL (which trusts stronger certificates like SHA2)

Oracle strongly recommends updating to the latest WebLogic Maintenence Pack and the latest JDK patch as there are some known issues with JSSE SSL and lower WebLogic service packs and Java patches. You should be using WebLogic 10.3.6 minimum

SHA2 (SHA256, etc.) is supported from weblogic 11g (10.3.6), but certificates will only work with JSSE implementation (-Dweblogic.security.SSL.enableJSSE = true).

You can check the SSL Certificates FAQ at WebLogic from the official documentation above on Oracle Metalink (support.oracle.com)

+2


source






More articles:


All Articles