Skip to content
Home » Oracle Database » Grid Infrastructure » How to Disable TLSv1.0 TLSv1.1 at Port 6200

How to Disable TLSv1.0 TLSv1.1 at Port 6200

Vulnerability Scanning at Port 6200

Vulnerability scanner reports a weakness at port 6200 of the RAC server.

Vulnerability Insight
The TLSv1.0 and TLSv1.1 protocols contain known cryptographic flaws like:
- CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST)
- CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded Legacy Encryption (FREAK)

In summary, vulnerability scanner thinks TLSv1.0 and TLSv1.1 protocols are potential weakness and we should disable them at port 6200 for safety.

Theoretically, such flaws CVE-2011-3389 and CVE-2015-0204 should have been fixed by Oracle in 2015. The affected products are 12.1 and earlier releases. A sophisticated release like 19c should have no such problem.

However, we found TLSv1.1 with AES256-SHA is still available at port 6200. That's the one we have to conquer.

Who is Using Port 6200?

After investigating which process is listening to the specific port, we found that Oracle Notification Service (ONS) is listening to port 6200.

Reversely, to know which ports are used by ONS, you may issue the following command by grid to make sure.

[grid@primary01 grid]$ srvctl config ons
ONS exists: Local port 6100, remote port 6200, EM port 2016, Uses SSL true
ONS is enabled
ONS is individually enabled on nodes:
ONS is individually disabled on nodes:

Please use the following command to print more information of ONS.

$ORACLE_HOME/bin/onsctl debug

Or verbosely:

$ORACLE_HOME/bin/onsctl verbose debug

Disable TLSv1.0 and TLSv1.1

To deny TLSv1.0 and TLSv1.1 for clients to connect ONS Service at port 6200, we take the following steps to turn them off.

Backup ons.config

The main file that we should configure is $ORACLE_HOME/opmn/conf/ons.config in grid infrastructure.

By design, user grid is the owner of ONS, so we login to the operating system by grid and then make a copy.

[grid@primary01 grid]$ cd $ORACLE_HOME/opmn/conf
[grid@primary01 conf]$ pwd
/u01/app/19.0.0/grid/opmn/conf
[grid@primary01 conf]$ cp -p ons.config ons.config-`date +%Y%m%d`-backup

Edit ons.config

We append two lines to the file.

[grid@primary01 conf]$ vi ons.config
...
sslversions=TLSv1.2
sslciphers=SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA

Where we allow only TLSv1.2 and support 2 cipher suits, i.e. AES256-SHA256 and AES256-SHA.

Restart ONS

We combine srvctl stop ons and srvctl start ons in one command line to restart ONS without execution gap like this.

[grid@primary01 conf]$ srvctl stop ons; srvctl start ons; srvctl status ons
ONS ons is enabled.
ONS ons is running.

Meanwhile, the cluster make a copy to ons.config.<hostname_in_short>.

Please note that, command onsctl reload has no use to refresh the service in our test.

Test Connection

Here we use openssl to connect the port locally.

TLSv1.2

We test TLSv1.2 without specifying any cipher suite.

[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1_2

We got the server certificate as we expected.

TLSv1

We test TLSv1 without specifying any cipher suite.

[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1677026814
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

---

It failed to pass the test.

TLSv1.1

We test TLSv1.1 without specifying any cipher suite.

[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1_1
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1677026620
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

It failed to pass the test.

TLSv1.2 with Unsupported Cipher

We specify some weak cipher suite, say 3DES, to work with TLSv1.2 and see whether it can pass the test or not.

[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1_2 -cipher 3DES
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1677026855
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Since 3DES is not supported, the failure is expected.

Sometimes, you are required to completely close the port to stop any chances to access the server, you may disable ONS for good.

Leave a Reply

Your email address will not be published. Required fields are marked *