SSL Handshake Fails with Browser Errors: ERR_SSL PROTOCOL_ERROR, ERR_SSL FALLBACK_BEYOND MINIMUM_VER
SSL Handshake Fails with Browser Errors: ERR_SSL PROTOCOL_ERROR, ERR_SSL FALLBACK_BEYOND MINIMUM_VER
Titleimage
Posted by Patrick Hamou on 2017:09:22 14:13:33
APPLIES TO: Oracle HTTP Server, Weblogic Web Server, Oracle Fusion Middleware, Oracle WebLogic Server
Oracle HTTP Server - Version 10.1.2.0.0 and later
Weblogic Web Server - Version 9.2 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Oracle WebLogic Server - Version 12.1.1.0 to 12.1.1.0 [Release 12c]
Information in this document applies to any platform.
SYMPTOMS
SSL Handshake Fails with Browser Errors: ERR_SSL_PROTOCOL_ERROR, ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, SSL_ERROR_NO_CYPHER_OVERLAP, ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
When users access an application using https:// it is not working. The error seen will depend on the browser and the actual problems it detects, but is usually a result of updating to a newer browser version attempting to ensure you are reaching secure sites:
-- Chrome provides a very popular error as it is checking for protocol negotiation:
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION (for TLS negotiation issue)
"Server has a weak ephemeral Diffie-Hellman public key" (when a DHE_EXPORT ciphersuite is enabled on a server but not on a client)
-- Firefox will provide something like this depending on version and application, though it is more related to ciphers used in the handshake:
Advanced info: ssl_error_no_cypher_overlap or ssl_error_weak_server_ephemeral_dh_key or NS_ERROR_NET_RESET
-- Microsoft browsers will usually say "Page Cannot be Displayed"
-- Java clients may have similar issues, a connection attempt may fail with the following:
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
-- When looking in the logs for the Oracle HTTP Server, these error are seen:
SSL call to NZ function nzos_Handshake failed with error 29014
SSL call to NZ function nzos_Handshake failed with error 29049
SSL call to NZ function nzos_Handshake failed with error 28864
Errors may differ depending on version and http server product in use. The basic symptom is that the SSL handshake fails and the client closes the connection.
You are then sent to investigate the server side SSL configuration to ensure it is configured to perform a secure handshake as expected. It may depend on the protocol and/or cipher in use.
CHANGES
Update Client
Problems occur after users have updated client browsers, Chrome, Firefox, Internet Explorer, etc. The problems start happening after various SSL related security alerts against lower protocol versions and weak ciphers that have otherwise been popular but now deprecated because of their insecure nature. This could also happen on a new installation and new configuration of SSL.
- The key point is it works on an older browser, fails on a newer browser (or other client).
- Note there are different errors here, so there are different root causes for each. The solution can be consolidated into updating protocols, ciphers and certificates for newer SSL standards.
CAUSE
Server is Implementing Negotiation Incorrectly
Initially, the problem is with SSLv2 and SSLv3 protocols. Older ciphers and certificates used can further impact the issue.
Newer browsers and other clients will have these disabled and a first step is to do the same on the server side. Once these are disabled, there may be only TLSv1 available on your server, depending on your version. Newer clients will prefer TLSv1.2 and 1.1 over 1.0, however not entirely disabling by default. When negotiation to a lower protocol occurs, browsers may detect a problem and close the connection.
One issue tends to occur when only TLSv1 (1.0) is available with older http server versions. It is commonly believed that you must disable TLS 1.0 and only allow TLS 1.1 and 1.2. While this will prevent the issue, it is not entirely true, you only need to ensure the negotiation attempt is secure with TLS 1.0. Older web servers have had updates over the years for this, but is only being aggressively detected and blocked in recent times by client vendors.
See the following from Google: https://code.google.com/p/chromium/issues/detail?id=498998
"we will now be removing the TLS 1.0 fallback as well, raising the minimum fallback version to TLS 1.1. This will *not* break TLS 1.0 servers, only those which implement version negotiation incorrectly."
Other issues are related to the use of weak ciphers and low key strength certificates. Some client vendors are putting defaults in place to detect and close the connection when these are used on the server side. You can also see these errors if restricting to only higher protocols, but you do not have the supported ciphers or certificates for the said protocol.
The browser SSL_ERROR_NO_CYPHER_OVERLAP error can be due to browser does not support the remote server's cipher suite. For example WLS is configured with TLS_RSA_WITH_AES_256_CBC_SHA256, but the browser does not support this cipher suite. For the SSL connection to succeed there must be a matching cipher suite selected between the browser client and server. The browser's supported cipher suites can be viewed using third-party tools such as
https://cc.dcsec.uni-hannover.de/
https://www.ssllabs.com/ssltest/viewMyClient.html
SOLUTION: SSL standards
Multiple Steps
If you do not have control of the server, workarounds are usually performed, which may be found on the internet. Since readers of this document presumably have control of their servers, users may be reporting these errors to you, steps should be taken to secure your servers to match default client expectations. The goal should be to ensure your server processing https connections securely, not workaround it with a browser hack to allow the older SSL standards. First to disable SSLv2 and SSLv3 and if using a version with only TLSv1 configured, there should be a patch to apply on some versions to implement the negotiation correctly. While it is a different cause, other issues related to weak ciphers can be covered at the same time due to the similarity of steps required.
Note:
You do not need to completely disable TLS 1.0 and you should be very cautious of using a workaround to defeat the purpose of the browser's security check. Using a "security.tls.version.fallback-limit" or "--ssl-version-fallback-min=tls1" workaround will circumvent the browser's security check and may expose you to other issues. These workarounds are not an Oracle approved solution to these errors.
Issues related to this have progressed over time and the correct action to take is to step through actions to secure your system. You may have performed some but not all steps, so you should verify all steps. This will ensure complete compatibility between installed components and client for the newer SSL/TLS standards.
- The following new document is created to avoid problems like this: Note 2131521.1 Proactively Updating SSL Protocols, Ciphers, and Certificates for Oracle Fusion Middleware
To resolve these issues and secure your system with the newest possible SSL standards, follow the below steps:
1. Ensure you are on a product version with full Error Correction Support:
- If not on a version with full error correction support you may be limited to obtaining new fixes and support of desired configurations for new standards.
- See: Note 944866.1 Error Correction Support Dates for Oracle Fusion Middleware (10g/11g/12c/WLS)
- If you are unable to update, you can still do most configurations listed below. Section has older patches known to fix older TLS 1.0 negotiation issues.
2. Disable SSLv3 and SSLv2:
- If you have not disabled SSL 2.2/3.0 (SSLv2/SSLv3) protocols, it is likely the browsers are checking and blocking these connections.
- You will need to consider the Oracle HTTP Server, Oracle Web Cache, Oracle WebLogic Server and other Oracle Fusion Middleware components installed.
- See: Note 1936300.1 How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products
3. Enable JSSE on WebLogic Server:
- The older Certicom implementation has been deprecated, but you need to manually configure JSSE:
- See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG494
- This can be done starting with 10.3.3, but optimally on 10.3.6 for full compatibility between all of these steps.
4. Update the JDK to latest Java 6 or 7 depending on what is certified - this affects protocols, ciphers and key strength supported by default in WLS:
- See Note 1492980.1 How to Maintain the Java SE Installed or Used with FMW 11g/12c Products
- Java 7 will allow TLS 1.1 and 1.2 support, but is not mandatory to use, use latest JDK 6 depending on certifications
- The latest JDK will fix issues with TLS 1.0 negotiation, remove weak ciphers and resolve ssl_error_weak_server_ephemeral_dh_key error
5. Remove weak ciphers:
- For WLS, this is automatic by updating JDK. If previously manually configured, it may now be incorrect and should verify your configuration across your installations.
- See: Note 1067411.1 How To Disable Anonymous and Weak Cipher Suites in WebLogic Server
- In other words, if you update the JDK and enable JSSE, you do not need to update the config.xml to use a single cipher
- For other products, see Note 453079.1 Restricting Anonymous or Weak Ciphers in SSL (HTTPS) for Oracle Fusion Middleware 10g/11g/12c
6. Update certificate key strength to greater than 1024:
- You will need to do this if you are getting the ssl_error_weak_server_cert_key error. Ensure you have first updated the JDK.
- See Note 1607170.1 SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher, JDK1.6.0_101, JRockit R28.3.7
You may require SHA2 and key strength greater than 1024:
Note 2098479.1 SSL Connections Fail to OHS 11.1.1.9 When Using IE and TLS 1.1/1.2 Only
7. Apply latest PSU to Weblogic Server:
- PSUs are released with the Critical Patch Update program to provide security fixes, see the following about the program and how to pick up the latest:
- Note 1306505.1 Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
8. Apply CPU patches to your other products:
- Note 551453.1 How to Find the Correct Critical Patch Update Patches for Oracle Fusion Middleware Products
- There are fixes in FMW CPU patches for SSL issues including protocol and cipher updates
- For Oracle HTTP Server, ensure to pick up the OHS, OPMN, and "SSL/Networking" patches
- If you are on a version without Error Correction Support, see below section for older patches known to fix older TLS 1.0 negotiation issues
9. If issues are still occurring you can be assured yo have the latest updates to be the most compatible with the newer client updates. Depending on which error you are getting, you can troubleshoot the SSL handshake with third-party tools such as available at wireshark.org. The question is what is the client expecting that the server does not have available and if there is an available configuration to satisfy this requirement.
Apply Specific Patches For TLS 1.0 Negotiation Issues on Older Versions
As stated above, these issues started with older server product versions and the use of older protocols, complicated with older ciphers and certificates also in place. Adjusting the protocol and ensuring the SSL negotiation is correct is the first step. Older server product versions (all vendors) used an older insecure method to negotiate. Below are updates for Oracle's products.
Notice: Any version not listed is not conclusive. Oracle strongly recommends applying the latest Patch Set release for your products to be cumulatively covered and then follow the CPU program to be secure from vulnerabilities. If you still have this issue after updating a version still under Error Correction Support, please open a Service Request for an investigation and potential new defect. TLS 1.0 is expected to work and implement negotiation correctly on all versions under Premier and Extended Support with error correction. Older versions have been addressed in the past, but are not continually checked for new issues.
Oracle HTTP Server 10g:
11.1.1.3: Patch 11716938 and Patch 10387726
11.1.1.2: Patch 11716930 and Patch 10387726
10.1.3.5:
- Apply 10.1.3.5 Patch Set, Patch 8626084 (See Note 397022.1)
- Apply updated OPatch, Patch 6880880 choosing 10.1.0.0.0
- See http://www.oracle.com/technetwork/topics/security/alerts-086861.html to find latest Advisory, go to it and click "Fusion Middleware" link within to find the latest cumulative Patch Availability Document and within, a 10.1.3.5.x section. Note if using EBS there is a separate document in the Advisory with EBS specific instructions.
10.1.2.3 and 10.1.4.3:
- See Note 405972.1 - Oracle Application Server 10g Examples for Critical Patch Updates
- See 10.1.2 or 10.1.4 section for exact steps, which include Patch Set guidance, administering one Oracle home at a time
- It is the "Primary CPU Bundle" required after Patch Set and OPatch prerequisites
Oracle WebLogic Server:
9.2 - 10.3.2: Apply Patch 9412909 - Disallow SSL renegotiation
WLS Plugins 1.0: Patch 11845433
Java SE:
JDK 6 Update 19 or higher
JDK 5.0 Update 24 or higher
JDK 1.4.2 Update 26 or higher
Reference:
Note 1301699.1 How the SSL/TLS Renegotiation Protocol Change Affects Oracle HTTP Server and Oracle WebLogic Server
Posted by Patrick Hamou on 2017:09:22 14:13:33