How to disable the DES and 3DES ciphers on Oracle WebLogic Server Node Manager Port(5556) in Red hat linux server. I tried with many solutions, but not working as expected. Here is my SSLCipherSuite code in ssl.conf file.
SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,!aNULL,!eNULL,!LOW,!MD5,!EXP,!PSK,!SRP,!DSS,!RC4,!3DES
Remove the ciphers SSL_RSA_WITH_3DES_EDE_CBC_SHA and SSL_RSA_WITH_DES_CBC_SHA from your cipher list. You should also remove SSL_RSA_WITH_RC4_128_MD5 and SSL_RSA_WITH_RC4_128_SHA from the list as they are both considered insecure. I don't believe you get any benefit from the !aNULL,!eNULL,!LOW,!MD5,!EXP,!PSK,!SRP,!DSS,!RC4,!3DES specifications if you are listing individual ciphers.
If your server is internet accessible, consider running an SSLLabs Analysis on your server. If not, you could use nmap –script ssl-enum-ciphers to check your configuration.
You should be disabling the ciphers in your Java configuration. See: https://security.stackexchange.com/questions/120347/how-to-disable-weak-cipher-suits-in-java-application-server-for-ssl for details.
You may want to consider using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. However, Java has had a problem with these ciphers causing 1 in 256 connections with standards compliant hosts to fail. This should be fixed in the latest release.
You should be able to set a secure set of ciphers by adding the ciphers to your Java command line. (Use only the last cipher unless you are on the latest Java version.)
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
If you want to use 256 bit encryption, duplication each cipher in order and change 128 to 256 in one of the duplicates. There doesn't seem to be a good reason to use 256 bits, and there are reports that using 256 bits may enable some timing attacks.
