2 replies to this topic

[gregwarner]

Ok, I'm at my wits end. My Java app can connect to our Oracle DB using the Thin driver over TCP just fine, but now I need to implement SSL Authentication and Encryption.

I've been hitting a brick wall here and I'm afraid I don't understand what's causing it. Every connection attempt results in the remote host closing the connection during the handshake. I tried to simplify my problem by forgetting about authentication for now and simply trying to do Diffie-Hellman anonymous authentication and encryption only. I still got the same error.

Here's the relevant portion of the stack trace:

java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake

	at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:421)

	at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:531)

	at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:221)

	at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)

	at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:503)

	at java.sql.DriverManager.getConnection(DriverManager.java:582)

	at java.sql.DriverManager.getConnection(DriverManager.java:154)



Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)

	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)

	at oracle.net.ns.Packet.send(Packet.java:385)

	at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:173)

	at oracle.net.ns.NSProtocol.connect(NSProtocol.java:283)

	at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1042)

	at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:301)

	... 9 more

Caused by: java.io.EOFException: SSL peer shut down incorrectly

	at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)

	... 17 more

Here's the Java code that's trying to connect:

// The following variables are defined prior to this. They check out correctly.

final String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(PORT=2484)(HOST=" + servername + "))(CONNECT_DATA=(SID=" + databasename + ")))";


// Again, these variables are defined previously. They check out correctly.

Properties props = new Properties();

props.setProperty("user", username);

props.setProperty("password", password);


props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_RC4_128_MD5)");


Connection conn = DriverManager.getConnection(url, props); // This line throws the exception

According to the Thin driver over SSL whitepaper, this is all the code I should need on the client side.

On the Oracle server, here's my SQLNET.ORA file:

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)


SSL_VERSION = 0


SQLNET.ENCRYPTION_SERVER = required


NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)


SSL_CLIENT_AUTHENTICATION = FALSE


SQLNET.CRYPTO_SEED = '[I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I]'


SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, RC4_128)


WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = D:\app\administrator\product\11.2.0\dbhome_1\BIN\owm\wallets\administrator)

    )

  )


#SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA)

SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_RC4_128_MD5)


ADR_BASE = D:\app\administrator\product\11.2.0\dbhome_1\log

And here's my LISTENER.ORA file:

SID_LIST_LISTENER =

  (SID_LIST =

    (SID_DESC =

      (SID_NAME = CLRExtProc)

      (ORACLE_HOME = D:\app\administrator\product\11.2.0\dbhome_1)

      (PROGRAM = extproc)

      (ENVS = "EXTPROC_DLLS=ONLY:D:\app\administrator\product\11.2.0\dbhome_1\bin\oraclr11.dll")

    )

  )


SSL_CLIENT_AUTHENTICATION = FALSE


LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))

    )

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCP)(HOST = [I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I])(PORT = 1521))

    )

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCPS)(HOST = [I][B][COLOR="#8b0000"]REMOVED FOR SECURITY[/COLOR][/B][/I])(PORT = 2484))

    )

  )


LOGGING_LISTENER = OFF


ADR_BASE_LISTENER = D:\app\administrator

There's where I stand. I've set SSL_CLIENT_AUTHENTICATION = FALSE for now while I'm experimenting with anonymous authentication. It was TRUE previously, when I was trying to use SSL_RSA_WITH_AES_256_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA, but all with the same results.

Does anyone know what I'm doing wrong?

EDIT: I should also mention I have SSL Certificates signed and stored in the Wallet mentioned above, as well as in a trust store and a key store for the Java app, but that's more for the authentication once I get there.

Edited by gregwarner, 23 June 2011 - 12:52 PM.

[wim DC]

Are you sure you want

SSL_VERSION = 0

And not

SSL_VERSION = 2.0 or 3.0

?
As for the accepted values it says

Quote

Values

undetermined | 2.0 | 3.0

Unless the '0' means 'undetermined'

[gregwarner]

I used the Oracle Net Manager to create most of those settings. The 0 supposedly represents Any, but I tried it specifically with 3.0 (that's what the client uses by default, I believe), and I tried specifying 3.0 on the client side as well. Still wouldn't work when they were explicitly set.

Does somebody know if there's any way to get a more detailed error message than what I got from the stack trace so I can better determine where the problem lies?