Oracle B2C Service upgraded the OpenSSL version used in the product to Long Term Version (LTS) 3.0 in 23D release to fix several vulnerabilities and secure the servers for compliance. 

 

TLSv1.2 (and earlier) support the concept of renegotiation. In 2009 (i.e. after the TLSv1.2 RFC was published), a flaw was discovered with how renegotiation works that could lead to an attack. After the attack was discovered, a fix was deployed to all TLS libraries. In order for the fixed version of renegotiation to work both the client and the server need to support it.

 

The original (unfixed) version of renegotiation is known as "unsafe legacy renegotiation" in OpenSSL. The fixed version is known as "secure renegotiation". 

 

Now that OpenSSL 3.0 disabled "unsafe legacy renegotiation" by default, integration with such unfixed (unsafe) servers will be broken.

 

The recommended option is to upgrade the target site servers to support “Secure Negotiation”, so that integrations are intact post the upgrade of Oracle B2C Service to 23D version. The temporary workaround to prevent the failure of integrations is to apply a special patch (which allow connecting to such unsafe servers) to 23D version of Oracle B2C Service.

 

In such case, please raise an SR with CX Service Support to apply the patch for a 23D version site.

 

Additional Information

 

To test if the target site supports "Secure Renegotiation ", use the following shell command and search for “Secure Renegotiation” in the result if the support TLS version is less than 1.3

 

openssl s_client -connect <server_host>:443