2 replies to this topic

[gregwarner]

Ok, I'm at my wits end. My Java app can connect to our Oracle DB using the Thin driver over TCP just fine, but now I need to implement SSL Authentication and Encryption.

I've been hitting a brick wall here and I'm afraid I don't understand what's causing it. Every connection attempt results in the remote host closing the connection during the handshake. I tried to simplify my problem by forgetting about authentication for now and simply trying to do Diffie-Hellman anonymous authentication and encryption only. I still got the same error.

Here's the relevant portion of the stack trace:

java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake
	at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:421)
	at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:531)
	at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:221)
	at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
	at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:503)
	at java.sql.DriverManager.getConnection(DriverManager.java:582)
	at java.sql.DriverManager.getConnection(DriverManager.java:154)


Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
	at oracle.net.ns.Packet.send(Packet.java:385)
	at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:173)
	at oracle.net.ns.NSProtocol.connect(NSProtocol.java:283)
	at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1042)
	at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:301)
	... 9 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
	at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
	... 17 more

Here's the Java code that's trying to connect:

// The following variables are defined prior to this. They check out correctly.
final String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(PORT=2484)(HOST=" + servername + "))(CONNECT_DATA=(SID=" + databasename + ")))";

// Again, these variables are defined previously. They check out correctly.
Properties props = new Properties();
props.setProperty("user", username);
props.setProperty("password", password);

props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_RC4_128_MD5)");

Connection conn = DriverManager.getConnection(url, props); // This line throws the exception

According to the Thin driver over SSL whitepaper, this is all the code I should need on the client side.

On the Oracle server, here's my SQLNET.ORA file:

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

SSL_VERSION = 0

SQLNET.ENCRYPTION_SERVER = required

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = FALSE

SQLNET.CRYPTO_SEED = '[I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I]'

SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, RC4_128)

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = D:\app\administrator\product\11.2.0\dbhome_1\BIN\owm\wallets\administrator)
    )
  )

#SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA)
SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_RC4_128_MD5)

ADR_BASE = D:\app\administrator\product\11.2.0\dbhome_1\log

And here's my LISTENER.ORA file:

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = CLRExtProc)
      (ORACLE_HOME = D:\app\administrator\product\11.2.0\dbhome_1)
      (PROGRAM = extproc)
      (ENVS = "EXTPROC_DLLS=ONLY:D:\app\administrator\product\11.2.0\dbhome_1\bin\oraclr11.dll")
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = [I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I])(PORT = 1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = [I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I])(PORT = 2484))
    )
  )

LOGGING_LISTENER = OFF

ADR_BASE_LISTENER = D:\app\administrator

There's where I stand. I've set SSL_CLIENT_AUTHENTICATION = FALSE for now while I'm experimenting with anonymous authentication. It was TRUE previously, when I was trying to use SSL_RSA_WITH_AES_256_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA, but all with the same results.

Does anyone know what I'm doing wrong?

EDIT: I should also mention I have SSL Certificates signed and stored in the Wallet mentioned above, as well as in a trust store and a key store for the Java app, but that's more for the authentication once I get there.

Edited by gregwarner, 23 June 2011 - 12:52 PM.

[wim DC]

Are you sure you want

SSL_VERSION = 0

And not

SSL_VERSION = 2.0 or 3.0

?
As for the accepted values it says

Values

undetermined | 2.0 | 3.0

Unless the '0' means 'undetermined'

[gregwarner]

I used the Oracle Net Manager to create most of those settings. The 0 supposedly represents Any, but I tried it specifically with 3.0 (that's what the client uses by default, I believe), and I tried specifying 3.0 on the client side as well. Still wouldn't work when they were explicitly set.

Does somebody know if there's any way to get a more detailed error message than what I got from the stack trace so I can better determine where the problem lies?