Re: Advanced Security and SSL
- From: "Jason Heinrich" <jheinrichdba@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Wed, 10 Oct 2007 15:39:25 -0500
I don't think this went through yesterday, so here it is again. In
case anyone is curious, I solved this problem. It turns out the
"Certificate Validation Failure" error was right on. The problem was
that I had not set SSL_CLIENT_AUTHENTICATION = FALSE in the
listener.ora file. Oddly enough this only seemed to be a problem
going from Windows to AIX: I was able to connect from another AIX box
just fine.
I do have another question. Does anyone know of a way to remove
trusted certificates from an Oracle wallet from the command line? I
know I can use orapki to add a trusted certificate, but I can find no
way to remove them. It seems like an oversight to me.
On 9/26/07, Jason Heinrich <jheinrichdba@xxxxxxxxx> wrote:
> So has anybody seen this error before? Upgrading the client to 10.2.0.3
> didn't help (though I didn't expect it to).
>
>
> On 9/21/07, Jason Heinrich <jheinrichdba@xxxxxxxxx> wrote:
> >
> > List,
> > I'm attempting to setup SSL connectivity to a test database (10.2.0.1 on
> AIX 5.3), but I keep getting an error on the client ( 10.2.0.1 on Windows
> XP): ORA-28860: Fatal SSL error.
> >
> > I've checked the sqlnet.ora files to make sure they match, and I've
> checked the wallets to make sure the trusted certificate on the client
> matches the signer for the server certificate. A client trace didn't give
> any useful information, but a trace of the listener on the server revealed
> this:
> > ntzdosecneg: SSL handshake failed with error 29024
> >
> > Of course, useful information about these errors seems sparse. If that's
> an ORA error, then it would refer to a "Certificate validation failure",
> which doesn't make sense because the client shouldn't be sending a
> certificate to the server. I've included relavent portions of config files
> below for reference:
> >
> > Client sqlnet.ora:
> > SSL_VERSION = 3.0
> > SSL_CLIENT_AUTHENTICATION = FALSE
> > SSL_SERVER_DN_MATCH = No
> > SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
> >
> > Server sqlnet.ora:
> > TCP.VALIDNODE_CHECKING=YES
> > TCP.INVITED_NODES=(<list of ip addresses, including the client>)
> > SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
> > SSL_VERSION=3.0
> > SSL_CLIENT_AUTHENTICATION=FALSE
> >
> > TCPS is set as the protocol in the server's listener.ora and client's
> tnsnames.ora. Interestingly enough, I have no trouble connecting to the
> database via TCPS while on the server. Any ideas?
--
Jason Heinrich
Oracle Developer/DBA
--
//www.freelists.org/webpage/oracle-l
Other related posts:
