Weblogic SSL and Google Chrome

During our implementation of a new JDE Oneworld (Enterprise One) environment, we encountered an issue after enabling SSL on our web instances. Internet explorer was quite happy with the configuration, but attempting to load the page in Chrome resulted in an error:

‘SSL Server probably obsolete.
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION’.

A quick search revealed that this meant that the server was willing to communicate on SSLv3 (which is a huge issue due to the POODLE vulnerability). So we needed to limit what SSL/TLS versions the server was using – more specifically, we want it to only use TLS 1.2, as both SSLv2 and SSLv3 have major vulnerabilities and all our clients are modern enough to support TLS 1.2 (so why use anything older?).

More canny googling also revealed the solution. We needed to add a new startup argument to the web instance;

-Dweblogic.security.SSL.protocolVersion=TLSv1.2

This would force the webserver to use TLS 1.2, and not allow older SSL or TLS security types.

server start

Unfortunately, after applying this configuration and restarting the web instance, the error remained. It took quite a lot of frustration and more than a little Oracle Knowledgebase diving before we stumbled on what we had missed.

In order to use the -Dweblogic.security.SSL.protocolVersion  argument, you must be using JSSE SSL. This was not enabled by default on our web instances (which had been created automatically during the JDE install process). This setting lives under General -> SSL -> Advanced.

jsse ssl

After enabling ‘Use JSSE SSL’, saving and activating the configuration, and restarting the web instance, the error disappeared.

Leave a Reply

Your email address will not be published. Required fields are marked *