0

We have an IPlanet webserver which communicates to WebLogic(app server) on non-SSL (HTTP) port. we are not using HTTPS in WebLogic and the webservers and app servers are behind a firewall. A certificate is installed on weblog server instances but we don't use the HTTPS port. The IPlanet web server is running on HTTPS ports and behind a load balancer.

LB to (HTTPSWebServer to (HTTP) Weblogic is the traffic flow. No traffic directly comes to web server or Weblogic.

For POODLE remediation, do we still need to disable SSLv3 for web server and app server?

user207421
  • 305,947
  • 44
  • 307
  • 483
user2820644
  • 35
  • 1
  • 6
  • 1
    There are no SSL v3 certificates. Certificates are X509 and are independent from the SSL/TLS protocol version. – Steffen Ullrich Oct 30 '14 at 17:45
  • The reason I stated it as SSLv3 certificate is when I hit a url deployed in WEblogic and Open the certificate displayed in the browser, under the details TAB, I see Version as V3 – user2820644 Oct 31 '14 at 08:47
  • This is not SSL v3 but X509.v3. X509 is the format of the certificates (see [Wikipedia entry to X.509](http://en.wikipedia.org/wiki/X.509)) while SSL/TLS is the communication protocol which uses certificates to identify the peer. – Steffen Ullrich Oct 31 '14 at 08:59

1 Answers1

0

Looks like you are terminating SSL (or HTTPS) traffic at WebServer. There are two parts:

  1. LB to WebServer (HTTPS Traffic): Disable SSLv3 on WebServer. HTTPS means HTTP tunneled over SSL protocol. This is impacted.
  2. WebServer to Weblogic (HTTP Traffic) : You are good here.
Manish Maheshwari
  • 4,045
  • 2
  • 15
  • 25