Forum Stats

  • 3,741,769 Users
  • 2,248,474 Discussions
  • 7,861,979 Comments

Discussions

utl_http server name extension

Krisztian, Hegyvari
Krisztian, Hegyvari Member Posts: 39 Blue Ribbon
edited Jul 9, 2019 12:38PM in Database Security - General

Hi,

I have been consuming various services from my 11g database for some time. 2 days ago I tumbled upon a site which required TLS 1.2, so I applied the necessary patches but still received a certificate validation error. Using tcpdump I checked the traffic and I saw that the wrong certficates are returned from the server, because the call did not use the server name extension. This service is hosted in the cloud and I could confirm this behaviour using openssl, where the server returned the (same) wrong certificates if I did not use the -servername switch.

I searched Oracle Support and I found bug nr. 22707400. which I think confirms what I found.

Any ideas how to go around this problem? I do not see much hope that this is going to be fixed in 11g, according to the bug report this problem has been fixed in 18, not even in 12.

I thought about writing a java stored procedure, but the JVM in 11g is also old, so I suppose I would hit a dead end. As a last resort I could hack something together in PHP, a kind of internal proxy for this endpoint, but I thought I would ask first.

Regards,

Krisztian

Best Answer

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 9, 2019 12:23PM Accepted Answer

    SNI certificate is only supported from 12.2 version onward, that too with the help of the SNI patch as mentioned in the below document.

    SNI support for 12c ORA-29024: Certificate Validation Failure (Doc ID 2442422.1)

    11g won't support SNI certs and this Bug patch is Not back-portable to earlier versions.

    You will need to be on 12.2 to have this patch.

Answers

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 9, 2019 12:08PM

    What is the url you are trying to access?

    Are you getting any particular errors, if so what?

    If you are using utl_http for SNI certificates, check the below document.

    SNI support for 12c ORA-29024: Certificate Validation Failure (Doc ID 2442422.1)

    Krisztian, Hegyvari
  • Krisztian, Hegyvari
    Krisztian, Hegyvari Member Posts: 39 Blue Ribbon
    edited Jul 9, 2019 12:19PM

    The error is a certificate validation error.

    The url is https://api-test.iec.ch. I compared a packet trace from an unsuccessful connection attempt from the database and a successful connection from a browser. The database did not use the SNI and the server responded with google certificates, the browser connection used SNI and the server sent Digicert certificates. Openssl confirms.

    Thanks for the link, this would certainly solve my problem on 12c, but I am still on 11g.

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 9, 2019 12:23PM Accepted Answer

    SNI certificate is only supported from 12.2 version onward, that too with the help of the SNI patch as mentioned in the below document.

    SNI support for 12c ORA-29024: Certificate Validation Failure (Doc ID 2442422.1)

    11g won't support SNI certs and this Bug patch is Not back-portable to earlier versions.

    You will need to be on 12.2 to have this patch.

Sign In or Register to comment.