Oracle HTTP Server (OHS) Apache 2.2.13 Poodle SSLv3 Fix?

Question

I applied the POODLE fix for apache via "SSLProtocol All -SSLv2 -SSLv3" in the ssl.conf file for our apache server but am having issues with the CAC Client authentication via "SSLVerifyClient require". I have confirmed if I set "SSLVerifyClient none" our web application can be accessed via https and uses the correct protocol of TLSv1 but once I set "SSLVerifyClient require" (which is needed because our web application is CAC enabled) I get a page cannot be displayed in IE (IE has SSLv2 and SSLv3 disabled). I think it is renegotiating to SSLv3 during the SSLVerifyClient stage.. Anyone know how to fix this on Oracle HTTP Server (OHS) Apache 2.2.13??

Here is a snippet of my ssl.conf file:

###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf        #
###################################################################


# OHS Listen Port
Listen 443


##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
    SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
    SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
    
      SSLMutex "none"
    
    
      SSLMutex pthread
    

##
## SSL Virtual Host Context
##

#    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
    DirectoryIndex remagnum.html
    ServerName TTSDS09083.TIMPO.OSD.MIL
#    ServerAlias www.dummy-host.example.com

  

   #  SSL Engine Switch:
   #  Enable/Disable SSL for this virtual host.
   SSLEngine on

   #  SSL Cipher Suite:
   #  List the ciphers that the client is permitted to negotiate.
   #SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

   SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA

   SSLProtocol All -SSLv2 -SSLv3


   #  Client Authentication (Type):
   #  Client certificate verification type and depth.  Types are
   #  none, optional and require.
   #SSLVerifyClient none
   SSLVerifyClient require

   # SSL Certificate Revocation List Check
   # Valid values are On and Off
   SSLCRLCheck Off

   #Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"

   
      SSLOptions +StdEnvVars +ExportCertData

   

   
      SSLOptions +StdEnvVars +ExportCertData

   

   BrowserMatch ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0

Oracle HTTP Server (OHS) Apache 2.2.13 Poodle SSLv3 Fix?

Answers (1)

Related Questions