X
  • MAF
    May 17, 2015

Old security is false security

Guest Author

Recently, an Oracle partner experienced problems migrating an application from MAF 2.0.x to MAF 2.1.x. The application, which calls secured REST web services, was working fine before the update. However, after the migration, it was failing with the following exception: 

[SEVERE - oracle.adfmf.framework - RestTransportLayer - readResponse] Exception while reading response: java.io.IOException: Unsupported record version SSLv2Hello
[WARNING - oracle.adfmf.framework - RestServiceAdapterImpl - sendReceiveBytes] ERROR: REST Transport - java.io.IOException: Unsupported record version SSLv2Hello
java.io.IOException: Unsupported record version SSLv2Hello
at oracle.microedition.io.HttpConnectionImpl.getResponseCode(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestTransportLayer.readResponse(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestTransportLayer.sendReceiveBytes(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestTransportLayer.sendReceive(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestServiceAdapterImpl.sendReceive(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestServiceAdapterImpl.send(Unknown Source)
[...]

If you remember, one of the major changes between MAF 2.0 and 2.1 was the upgraded JVM. We switched from the Java ME CDC profile (Java 1.4) to the Java SE Compact 2 profile (Java 1.8). Because of this change in the infrastructure, MAF dropped support for a number of older technologies. SSL version 2 is among the lot. 

This does not mean that it was a good idea to use SSL v2 before, however. Introduced in 1995, SSL v2 had already been superseded by SSL v3 the year after. And while we often describe secure HTTP connections as « SSL », we simply should not anymore. TLS, the successor to SSL, is much more secure. But wait, there is more! The Poodle vulnerability, revealed in 2014, stems from a design flaw in SSL v3. Oracle's recommendation, documented here, is to simply disable all versions of SSL on your servers. 

You will find instructions about disabling SSL v2 and v3 in various Fusion Middleware products in document 1936300.1 on My Oracle Support. Please take this seriously. Your data is not secure simply because you use encryption and there are no exceptions in your logs... In fact, I would argue that using older security protocols is worse than using none, because of the false sense of security they instill.  

And what about the partner I told you about? Disabling SSL on the server hosting the web services did the trick. You should do the same. 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha