TLS 1.2 is the default minimum protocol version configured in WebLogic Server 14.1.1. TLS 1.3 support is available in WebLogic Server versions that are certified with Java SE implementations supporting TLS 1.3 in JSSE. e.g., TLS 1.3 support is available in WebLogic Server 14.1.1 when using Java SE 11 or JDK 8 u261+.
Note that TLS 1.3 support is available in WebLogic Server 12.2.1.4 or 12.2.1.3 with JDK 8 u261+.
We can disable old version by setting up minimum supported protocol in JAVA_OPTS
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1
Note the above setting is only affects inbound connections. If we have an application on Weblogic making outbound call to other applicaiton (ex Ldap ) then look for below section .
For Outbound Connections
To control the outbound connections the following JAVA_OPTIONS system property is available:
Example to allow all TLS protocols for the most common SSLSocket or SSLSocketFactory classes:
-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2
Applications using the HttpsClient or HttpsURLConnection classes can use the https.protocols system property:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
You should also disable SSLv2 Client Hello in WLS startup scripts:
-Dweblogic.ssl.SSLv2HelloEnabled=false
The jdk.tls.client.protocols system property is available since 7u95 and 6u121 to be able to set this. All versions of JDK 8 support this. In other words, older JDK versions only support TLS 1.0 for outbound client connections.
A common method to test is by setting options on your browser and testing one protocol at a time. If you only want TLS 1.2 to work, then disable all other protocols in your browser settings.
If you have openssl on your system, you can test to ensure what you have configured is working with the following commands to connect:
openssl s_client -connect <hostname:port> -ssl3
openssl s_client -connect <hostname:port> -tls1
openssl s_client -connect <hostname:port> -tls1_1
openssl s_client -connect <hostname:port> -tls1_2
openssl s_client -connect <hostname:port> -tls1_3
If the connectivity is successful then it will give the output with Connected result with the printed certificate from the server followed by the cipher that it used to handshake and also the trusted certs available from the server .
With the result we can conclude the protocols enabled on the Weblogic particular port .
For testing particular cipher suites, check the -cipher option. For example:
$openssl s_client -host localhost -port 8080 -cipher DES-CBC-SHA
I am just trying above syntax to connect to goole.com . see below .
openssl s_client -host google.com -port 443 -cipher ECDHE-RSA-CHACHA20-POLY1305
CONNECTED(00000006)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
—
Certificate chain
0 s:/CN=*.google.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIOGzCCDQOgAwIBAgIQdQLMPmhZMrgKAAAAAPK67DANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMTA3MTIwMTM0MzNaFw0yMTEwMDQw
MTM0MzJaMBcxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMNgW34BrUmIE37AzRZfN/mSHBIeZGzW68iG54rIbl6H
HbaO3Yk5pbrVMWkg+HK4ItjlRiA0XRK1wuFGwktLnbtcjEfxDWwjA5OsD3jtUmLb
y7aV2SMu7ql9kfOqP9F3unm8/Pp+PmkudDSb79FHgIaDzgurmS2SVzE2ey5bs5Ks
CZ+P9FUCMYoZ48B3ewf+Rl/3kH68oN6JUYCzcvN3qp2CkAh5bsA5DtK5/w/hn4xK
XErdCI7h5bXmNBFZuehIYkki3u83vsG40Pzv+/GTDGcQdsQRChBWz/r9EN8va8TW
eNZS5820zvOqDfqWnpBHL07CtfzHUpbX7UmN4bHEUS0CAwEAAaOCCzIwggsuMA4G
A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBSfo5qDzKzim6vOOQijS7XXQiatgzAfBgNVHSMEGDAWgBSKdH+v
hc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0
dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3Br
aS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjCCCOIGA1UdEQSCCNkwggjVggwq
Lmdvb2dsZS5jb22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CCSouYmRuLmRldoIS
Ki5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNlLmdvb2dsZS5jb22CGCou
ZGF0YWNvbXB1dGUuZ29vZ2xlLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMu
Y29tgg8qLmdvb2dsZWFwaXMuY26CESouZ29vZ2xldmlkZW8uY29tggwqLmdzdGF0
aWMuY26CECouZ3N0YXRpYy1jbi5jb22CEiouZ3N0YXRpY2NuYXBwcy5jboIPZ29v
Z2xlY25hcHBzLmNughEqLmdvb2dsZWNuYXBwcy5jboIMZ2tlY25hcHBzLmNugg4q
LmdrZWNuYXBwcy5jboISZ29vZ2xlZG93bmxvYWRzLmNughQqLmdvb2dsZWRvd25s
b2Fkcy5jboIQcmVjYXB0Y2hhLm5ldC5jboISKi5yZWNhcHRjaGEubmV0LmNuggt3
aWRldmluZS5jboINKi53aWRldmluZS5jboIRYW1wcHJvamVjdC5vcmcuY26CEyou
YW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2plY3QubmV0LmNughMqLmFtcHByb2pl
Y3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIZKi5nb29nbGUtYW5h
bHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CGSouZ29vZ2xl
YWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZhZHMtY24uY29tghMqLmdvb2dsZXZh
ZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNvbYITKi5nb29nbGVhcGlzLWNuLmNv
bYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcqLmdvb2dsZW9wdGltaXplLWNuLmNv
bYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRvdWJsZWNsaWNrLWNuLm5ldIIYKi5m
bHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcuZG91YmxlY2xpY2stY24ubmV0ghFk
YXJ0c2VhcmNoLWNuLm5ldIITKi5kYXJ0c2VhcmNoLWNuLm5ldIIdZ29vZ2xldHJh
dmVsYWRzZXJ2aWNlcy1jbi5jb22CHyouZ29vZ2xldHJhdmVsYWRzZXJ2aWNlcy1j
bi5jb22CGGdvb2dsZXRhZ3NlcnZpY2VzLWNuLmNvbYIaKi5nb29nbGV0YWdzZXJ2
aWNlcy1jbi5jb22CF2dvb2dsZXRhZ21hbmFnZXItY24uY29tghkqLmdvb2dsZXRh
Z21hbmFnZXItY24uY29tghhnb29nbGVzeW5kaWNhdGlvbi1jbi5jb22CGiouZ29v
Z2xlc3luZGljYXRpb24tY24uY29tgiQqLnNhZmVmcmFtZS5nb29nbGVzeW5kaWNh
dGlvbi1jbi5jb22CFmFwcC1tZWFzdXJlbWVudC1jbi5jb22CGCouYXBwLW1lYXN1
cmVtZW50LWNuLmNvbYILZ3Z0MS1jbi5jb22CDSouZ3Z0MS1jbi5jb22CC2d2dDIt
Y24uY29tgg0qLmd2dDItY24uY29tggsybWRuLWNuLm5ldIINKi4ybWRuLWNuLm5l
dIIUZ29vZ2xlZmxpZ2h0cy1jbi5uZXSCFiouZ29vZ2xlZmxpZ2h0cy1jbi5uZXSC
DGFkbW9iLWNuLmNvbYIOKi5hZG1vYi1jbi5jb22CDSouZ3N0YXRpYy5jb22CFCou
bWV0cmljLmdzdGF0aWMuY29tggoqLmd2dDEuY29tghEqLmdjcGNkbi5ndnQxLmNv
bYIKKi5ndnQyLmNvbYIOKi5nY3AuZ3Z0Mi5jb22CECoudXJsLmdvb2dsZS5jb22C
FioueW91dHViZS1ub2Nvb2tpZS5jb22CCyoueXRpbWcuY29tggthbmRyb2lkLmNv
bYINKi5hbmRyb2lkLmNvbYITKi5mbGFzaC5hbmRyb2lkLmNvbYIEZy5jboIGKi5n
LmNuggRnLmNvggYqLmcuY2+CBmdvby5nbIIKd3d3Lmdvby5nbIIUZ29vZ2xlLWFu
YWx5dGljcy5jb22CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22C
Emdvb2dsZWNvbW1lcmNlLmNvbYIUKi5nb29nbGVjb21tZXJjZS5jb22CCGdncGh0
LmNuggoqLmdncGh0LmNuggp1cmNoaW4uY29tggwqLnVyY2hpbi5jb22CCHlvdXR1
LmJlggt5b3V0dWJlLmNvbYINKi55b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlv
bi5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CD3lvdXR1YmVraWRzLmNvbYIR
Ki55b3V0dWJla2lkcy5jb22CBXl0LmJlggcqLnl0LmJlghphbmRyb2lkLmNsaWVu
dHMuZ29vZ2xlLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29vZ2xlLmNughxkZXZl
bG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNughhzb3VyY2UuYW5kcm9pZC5nb29nbGUu
Y24wIQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvUU92SjBOMXNUMkEu
Y3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfYqP4owNrm
gr7YyzG1P9MzlrW2gagAAAF6mJDzogAABAMARzBFAiANdJBh+kTU7M1C4BZpA+B1
hTpwX63DH+KwmB+i/YE3sAIhAPwhTKnf0iKUZbG8XOg5UkqQVrKcYsQHoZdbk0vg
lCSzAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6mJDzRQAA
BAMARzBFAiB+XxzOP2Sx/uBYzVTceFLMXxGjSMaC/+e6uab8hcXFtAIhAKyvvWjg
72xhI1GuF4siUFxK9RUUsxE2y0dlfwYtWujwMA0GCSqGSIb3DQEBCwUAA4IBAQA1
abfkRykEV/IAW3klNg79KMvTMV393m2AmSLDL5sC2q+hrGKg8h9AdGld62Zh/t6z
DEutkKS7ruQY6XJwSwdjMuBPtHFgK1uJByA+pMpDTZOjFvn5RpRzAoyYgACax/ot
VHPReSa88lXVzKMJEV94Jyt7E8a/tXLlktVCpTikx6OhkTNgQzdHXiZUON7PpkME
BgcSqPSL+A2rCJTtfz0aUhMx6K2LePwJ6OVXnNNNdpa54bODmwZoEYLaXsdigLt8
vScP3QU4gY9IP6AzCF0+/AJKHqMbA7GXhNYQaTPBjIq+cEB2FCxblJbWqOUDsCzH
fE3sf52FLu+/73n4rQl0
—–END CERTIFICATE—–
subject=/CN=*.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
—
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
—
SSL handshake has read 7109 bytes and written 193 bytes
—
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 1630E8BADA695317F0F520D063E096E9DFD33A49734DC63294B12C0EF6922C5D
Session-ID-ctx:
Master-Key: 459A743C7C4D3885F030F3638A512AB874F2A5B45EB07EC15D513C3E83EAC8FB3E3297
6071FD97CE24B970EEE7137F89
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 – 01 86 94 66 e7 46 45 37-7a b1 e8 4a 3c d7 da 89 …f.FE7z..J<…
0010 – 00 f6 d7 b7 a8 f4 bb fa-36 7a 45 57 27 15 db e6 ……..6zEW’…
0020 – 3b d3 bc c0 1d 05 df 52-5a 35 db 6e 34 72 88 18 ;……RZ5.n4r..
0030 – 69 cc b1 b1 9b 71 1d 67-26 6f 64 19 ad eb 3e 42 i….q.g&od…>B
0040 – 5b 75 1a 25 c7 1e 60 a2-85 bd 24 84 7c 40 ea 7e [u.%..`…$.|@.~
0050 – a3 f4 00 15 1c 4c 5d 8d-ab c1 99 9f e0 cf 2d 7f …..L]…….-.
0060 – 3b 83 2f 5f 7d 06 04 6f-23 6d 04 50 42 a7 d0 0c ;./_}..o#m.PB…
0070 – e4 38 02 cf e7 b4 20 48-02 ab eb 60 00 44 21 73 .8…. H…`.D!s
0080 – 9d 28 ba 86 4b 8d 10 45-74 77 03 7a 52 29 9c 1c .(..K..Etw.zR)..
0090 – c4 d0 94 55 37 a1 59 b1-e6 90 bc 63 d7 1a ea 13 …U7.Y….c….
00a0 – 81 d6 f9 ef b8 11 84 e8-8f 99 93 f1 30 41 18 96 …………0A..
00b0 – 8f 8b 62 b2 7b 8f 52 bf-db a3 07 cf 51 20 8f 0c ..b.{.R…..Q ..
00c0 – f5 13 ae 0d be c3 b0 96-44 64 83 22 13 e0 4b 6e ……..Dd.”..Kn
00d0 – b5 76 42 9f 3b bd b0 81-01 43 53 94 9a .vB.;….CS..
Start Time: 1628603903
Timeout : 7200 (sec)
Verify return code: 0 (ok)
—
read:errno=0
Yes openssl ssl able to connect over SSL with the given cipher successfully . Like this we can test any server and port with cipher and protocol .
Happy Learning !!!