Yes, I know this is generally a bad idea, but we have a short-term need to do it.
Following this: https://docs.oracle.com/middleware/1221/wls/SECMG/ssl_version.htm#SECMG637
We have set
-Dweblogic.security.SSL.minimumProtocolVersion=SSLv3 (originally set to TLSv1.2)
-Dweblogic.security.SSL.protocolVersion=ALL
(the second shouldn't be needed, but should also be harmless)
This didn't work. According to this: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#enable-sslv3
JDK8 doesn't support SSLv3 out of the box, but can be enabled by:
If SSLv3 is absolutely required, the protocol can be reactivated at JRE level by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property before JSSE is initialized.
To enable SSLv3 protocol at deploy level, after following the above steps, edit the deployment.properties file and add the following:
deployment.security.SSLv3=true
We've done the first of these changes, but it's not clear what "enable... at deploy level" means for Weblogic, and we can't find a deployment.properties file.
Do we need to do this step? And if so, where is the deployment.properties file (or equivalent) for weblogic?
Alternatively, has anyone successfully re-enabled SSLv3 support in Weblogic 12 and can tell us what needs to be changed?
ue
Answering my own question, as we just did some tests:
No. The changes to the startup args and java.security files are enough
SSLv3 is working again - the ServerFault cardboard-cutout programmer works again