I don't think this went through yesterday, so here it is again. In case anyone is curious, I solved this problem. It turns out the "Certificate Validation Failure" error was right on. The problem was that I had not set SSL_CLIENT_AUTHENTICATION = FALSE in the listener.ora file. Oddly enough this only seemed to be a problem going from Windows to AIX: I was able to connect from another AIX box just fine. I do have another question. Does anyone know of a way to remove trusted certificates from an Oracle wallet from the command line? I know I can use orapki to add a trusted certificate, but I can find no way to remove them. It seems like an oversight to me. On 9/26/07, Jason Heinrich <jheinrichdba@xxxxxxxxx> wrote: > So has anybody seen this error before? Upgrading the client to 10.2.0.3 > didn't help (though I didn't expect it to). > > > On 9/21/07, Jason Heinrich <jheinrichdba@xxxxxxxxx> wrote: > > > > List, > > I'm attempting to setup SSL connectivity to a test database (10.2.0.1 on > AIX 5.3), but I keep getting an error on the client ( 10.2.0.1 on Windows > XP): ORA-28860: Fatal SSL error. > > > > I've checked the sqlnet.ora files to make sure they match, and I've > checked the wallets to make sure the trusted certificate on the client > matches the signer for the server certificate. A client trace didn't give > any useful information, but a trace of the listener on the server revealed > this: > > ntzdosecneg: SSL handshake failed with error 29024 > > > > Of course, useful information about these errors seems sparse. If that's > an ORA error, then it would refer to a "Certificate validation failure", > which doesn't make sense because the client shouldn't be sending a > certificate to the server. I've included relavent portions of config files > below for reference: > > > > Client sqlnet.ora: > > SSL_VERSION = 3.0 > > SSL_CLIENT_AUTHENTICATION = FALSE > > SSL_SERVER_DN_MATCH = No > > SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA, > SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) > > > > Server sqlnet.ora: > > TCP.VALIDNODE_CHECKING=YES > > TCP.INVITED_NODES=(<list of ip addresses, including the client>) > > SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA, > SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) > > SSL_VERSION=3.0 > > SSL_CLIENT_AUTHENTICATION=FALSE > > > > TCPS is set as the protocol in the server's listener.ora and client's > tnsnames.ora. Interestingly enough, I have no trouble connecting to the > database via TCPS while on the server. Any ideas? -- Jason Heinrich Oracle Developer/DBA -- //www.freelists.org/webpage/oracle-l