Explicitly exclude SSLv3 in older Oracle HTTP versions - Githubissues

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator

https://ssl-config.mozilla.org/

Mozilla Public License 2.0

374 stars 60 forks source link

Explicitly exclude SSLv3 in older Oracle HTTP versions #271

Open janbrasna opened 2 weeks ago

janbrasna commented 2 weeks ago

Only the current branch disables SSLv3 by default (by not supporting it at all), however for older versions it has to be explicitly excluded as it was available, being enabled by default depending on the package it was part of.

Ref: https://docs.oracle.com/middleware/12213/webtier/administer-ohs/GUID-20EE80B2-E97F-4BB8-B980-5069CA3801F9.htm#HSADM1025: (12.1.2 mentions disabling:) https://docs.oracle.com/middleware/1212/webtier/HSADM/directives.htm#CIHCABAI (11.1.0 claims it disabled:) https://docs.oracle.com/middleware/11119/webtier/administer-ohs/directives.htm#CIHCABAI

This adds the extra rule for good measure:

https://add-ohs-sslv3-version--mozsslconf-dev.netlify.app/#server=oraclehttp&version=12.3.4 vs. https://add-ohs-sslv3-version--mozsslconf-dev.netlify.app/#server=oraclehttp&version=11.1.0

gstrauss commented 1 day ago

I am not in a position to validate this. If you have checked the version, feel free to merge.