I've been hitting a brick wall here and I'm afraid I don't understand what's causing it. Every connection attempt results in the remote host closing the connection during the handshake. I tried to simplify my problem by forgetting about authentication for now and simply trying to do Diffie-Hellman anonymous authentication and encryption only. I still got the same error.
Here's the relevant portion of the stack trace:
java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:421) at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:531) at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:221) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:503) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:154) Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) at oracle.net.ns.Packet.send(Packet.java:385) at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:173) at oracle.net.ns.NSProtocol.connect(NSProtocol.java:283) at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1042) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:301) ... 9 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798) ... 17 more
Here's the Java code that's trying to connect:
// The following variables are defined prior to this. They check out correctly. final String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(PORT=2484)(HOST=" + servername + "))(CONNECT_DATA=(SID=" + databasename + ")))"; // Again, these variables are defined previously. They check out correctly. Properties props = new Properties(); props.setProperty("user", username); props.setProperty("password", password); props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_RC4_128_MD5)"); Connection conn = DriverManager.getConnection(url, props); // This line throws the exception
According to the Thin driver over SSL whitepaper, this is all the code I should need on the client side.
On the Oracle server, here's my SQLNET.ORA file:
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS) SSL_VERSION = 0 SQLNET.ENCRYPTION_SERVER = required NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SSL_CLIENT_AUTHENTICATION = FALSE SQLNET.CRYPTO_SEED = '[I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I]' SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, RC4_128) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = D:\app\administrator\product\11.2.0\dbhome_1\BIN\owm\wallets\administrator) ) ) #SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA) SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_RC4_128_MD5) ADR_BASE = D:\app\administrator\product\11.2.0\dbhome_1\log
And here's my LISTENER.ORA file:
SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = CLRExtProc) (ORACLE_HOME = D:\app\administrator\product\11.2.0\dbhome_1) (PROGRAM = extproc) (ENVS = "EXTPROC_DLLS=ONLY:D:\app\administrator\product\11.2.0\dbhome_1\bin\oraclr11.dll") ) ) SSL_CLIENT_AUTHENTICATION = FALSE LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = [I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I])(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = [I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I])(PORT = 2484)) ) ) LOGGING_LISTENER = OFF ADR_BASE_LISTENER = D:\app\administrator
There's where I stand. I've set SSL_CLIENT_AUTHENTICATION = FALSE for now while I'm experimenting with anonymous authentication. It was TRUE previously, when I was trying to use SSL_RSA_WITH_AES_256_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA, but all with the same results.
Does anyone know what I'm doing wrong?
EDIT: I should also mention I have SSL Certificates signed and stored in the Wallet mentioned above, as well as in a trust store and a key store for the Java app, but that's more for the authentication once I get there.
Edited by gregwarner, 23 June 2011 - 12:52 PM.