Advanced Security and SSL
- From: "Jason Heinrich" <jheinrichdba@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Fri, 21 Sep 2007 15:49:07 -0500
List,
I'm attempting to setup SSL connectivity to a test database (10.2.0.1 on AIX
5.3), but I keep getting an error on the client (10.2.0.1 on Windows XP):
ORA-28860: Fatal SSL error.
I've checked the sqlnet.ora files to make sure they match, and I've checked
the wallets to make sure the trusted certificate on the client matches the
signer for the server certificate. A client trace didn't give any useful
information, but a trace of the listener on the server revealed this:
ntzdosecneg: SSL handshake failed with error 29024
Of course, useful information about these errors seems sparse. If that's an
ORA error, then it would refer to a "Certificate validation failure", which
doesn't make sense because the client shouldn't be sending a certificate to
the server. I've included relavent portions of config files below for
reference:
Client sqlnet.ora:
SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_SERVER_DN_MATCH = No
SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
Server sqlnet.ora:
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=(<list of ip addresses, including the client>)
SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
SSL_VERSION=3.0
SSL_CLIENT_AUTHENTICATION=FALSE
TCPS is set as the protocol in the server's listener.ora and client's
tnsnames.ora. Interestingly enough, I have no trouble connecting to the
database via TCPS while on the server. Any ideas?
--
Jason Heinrich
Oracle Developer/DBA
Other related posts:
