SSL and Certificate Matching

  • From: mkb <mkb125@xxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 14 Jul 2008 12:25:34 -0700 (PDT)

I have setup SSL on my servers and I am using streams to communicate over SSL.  
So each server has a client and server certificate.  This environment has been 
setup on Oracle 10gR2 and RedHat Linux AS 4U2.

The client and server certificates are stored in separate Oracle wallets, one 
for the client and one for the server.

For testing the SSL connection, I created a user as follows:

alter user user1 identified externally as
'CN=acme, OU=acme, O=acme, L=NY, ST=NY, C=US';

I then use a simple Java program to connect to the database using the above 
user.  I am able to connect and have no issues there.

I've set SSL_CLIENT_AUTHENTICATION = TRUE in both the sqlnet.ora and 
listener.ora so that the server authenticates the client.

I'm trying to figure out if certificate matching takes place between client and 
server during the connection phase.  I tracked down the following document:
and in section B.3.4.1 SSL X.509 Server Match Parameters it seems to indicate 
that SSL_SERVER_DN_MATCH does not take place unless you explicitly set the 
parameter in the sqlnet.log file.

Anyway, even if you set this parameter to TRUE and force DN matching, what's 
there from preventing someone constructing another certificate from a trusted 
issuer with the same DN and connecting to the database?  Is there a way I can 
create the user as above (with a DN) but also with another attribute from 
within the certificate such as certificate thumbprint or serial number?

I logged a TAR but I don't seem to be getting through to the support dude on 
the other end.  Perhaps I haven't explained it well enough but if anyone has 
some insight on this, I would sure appreciate it.

Oh BTW, I'll update you all on the TAR once I get a clear answer back from 
support as well.



Other related posts:

  • » SSL and Certificate Matching