Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Advanced Security and SSL

Re: Advanced Security and SSL

From: Jason Heinrich <jheinrichdba_at_gmail.com>
Date: Wed, 10 Oct 2007 15:39:25 -0500
Message-ID: <b32e774d0710101339v66aad6fcs782275a88f8feaf@mail.gmail.com> 





I don't think this went through yesterday, so here it is again.  In
case anyone is curious, I solved this problem.  It turns out the
"Certificate Validation Failure" error was right on.  The problem was
that I had not set SSL_CLIENT_AUTHENTICATION = FALSE in the
listener.ora file.  Oddly enough this only seemed to be a problem
going from Windows to AIX: I was able to connect from another AIX box
just fine.



I do have another question.  Does anyone know of a way to remove
trusted certificates from an Oracle wallet from the command line?  I
know I can use orapki to add a trusted certificate, but I can find no
way to remove them.  It seems like an oversight to me.



On 9/26/07, Jason Heinrich <jheinrichdba_at_gmail.com> wrote:


> So has anybody seen this error before?  Upgrading the client to 10.2.0.3

> didn't help (though I didn't expect it to).

>

>

> On 9/21/07, Jason Heinrich <jheinrichdba_at_gmail.com> wrote:

> >

> > List,

> > I'm attempting to setup SSL connectivity to a test database (10.2.0.1 on

> AIX 5.3), but I keep getting an error on the client ( 10.2.0.1 on Windows

> XP): ORA-28860: Fatal SSL error.

> >

> > I've checked the sqlnet.ora files to make sure they match, and I've

> checked the wallets to make sure the trusted certificate on the client

> matches the signer for the server certificate.  A client trace didn't give

> any useful information, but a trace of the listener on the server revealed

> this:

> > ntzdosecneg: SSL handshake failed with error 29024

> >

> > Of course, useful information about these errors seems sparse.  If that's

> an ORA error, then it would refer to a "Certificate validation failure",

> which doesn't make sense because the client shouldn't be sending a

> certificate to the server.  I've included relavent portions of config files

> below for reference:

> >

> > Client sqlnet.ora:

> > SSL_VERSION = 3.0


> > SSL_CLIENT_AUTHENTICATION = FALSE


> > SSL_SERVER_DN_MATCH = No

> > SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,


> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)


> >

> > Server sqlnet.ora:

> > TCP.VALIDNODE_CHECKING=YES


> > TCP.INVITED_NODES=(<list of ip addresses, including the client>)

> > SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,


> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)


> > SSL_VERSION=3.0


> > SSL_CLIENT_AUTHENTICATION=FALSE


> >

> > TCPS is set as the protocol in the server's listener.ora and client's

> tnsnames.ora.  Interestingly enough, I have no trouble connecting to the

> database via TCPS while on the server.  Any ideas?




-- 
Jason Heinrich
Oracle Developer/DBA
--
http://www.freelists.org/webpage/oracle-l


Received on Wed Oct 10 2007 - 15:39:25 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US