Forum Stats

  • 3,741,772 Users
  • 2,248,475 Discussions
  • 7,861,983 Comments

Discussions

USE SSL FOR ENCRYPTION ONLY in Oracle12c failed

JijoAC
JijoAC Member Posts: 9
edited Jul 17, 2019 1:40AM in Database Security - General

We are trying to implement SSL encryption between the oracle12c server and java thin client. we followed the steps described in https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

we are trying CASE #1: USE SSL FOR ENCRYPTION ONLY, when we implement

First, we got error

java.sql.SQLRecoverableException: IO Error: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

So we updated cipher suite list

props.setProperty("oracle.net.ssl_cipher_suites", "(" + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, " + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, " + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )"); 

Now we are getting "java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection"

In the listener.log

  • (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.0.153)(PORT=10023)) * * 542 TNS-00542: SSL Handshake failed TNS-12560: TNS:protocol adapter error

Is there any difference in the Oracle12c?

Answers

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 12, 2019 1:54PM

    This looks like more of the JDBC connection issue.

    Is the connection failing from DB as well?

    What does the sqlnet.ora file look like?

    What is the DB and the PSU version?

  • JijoAC
    JijoAC Member Posts: 9
    edited Jul 15, 2019 1:35AM

    We successfully connected JDBC connection using CASE #2: USE SSL FOR ENCRYPTION AND SERVER AUTHENTICATION by set the truststore details.

    But we are not able to connect using CASE #1: USE SSL FOR ENCRYPTION ONLY, In this option we are using Diffie-Hellman anonymous authentication and not set any “truststore” or “keystore”.

    Our sqlnet.ora is,

    SQLNET.AUTHENTICATION_SERVICES = NTS

    NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)

    WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=D:\Oracle12c\product\12.2.0\dbhome_1\bin\server)))

    SSL_CLIENT_AUTHENTICATION = FALSE

    We are using Oracle 12c

    RDBMS_12.2.0.1.0_WINDOWS.X64_170210.4

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 15, 2019 6:11PM

    What document you are following and what errors you are getting?

    Diffie-Hellman key encryption and TLS JDBC compatibility (Doc ID 2288489.1)

    Provide the complete command and the errors you are encountering from the DB.

    Are you on the latest PSU / RU / BP?

  • JijoAC
    JijoAC Member Posts: 9
    edited Jul 16, 2019 9:50AM

    Thank you Mr. Gaurav Kamal,

    I am using "SSL With Oracle JDBC Thin Driver" document from https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

    I have downloaded Oracle12c from https://www.oracle.com/technetwork/database/enterprise-edition/downloads/oracle12c-windows-3633015.html

    Not using any PSU. Oracle version is,

         Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

         PL/SQL Release 12.2.0.1.0 - Production

         "CORE    12.2.0.1.0    Production"

         TNS for 64-bit Windows: Version 12.2.0.1.0 - Production

         NLSRTL Version 12.2.0.1.0 - Production

    I am afraid I cannot open the doc you specified as I have no

    My aim is to Use SSL for communication encryption in our java sample.

    Here is our java code

    try {

              String databaseSSLUrl = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.0.10)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.Test.local)))";

                Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider(), 3);

                Properties props = new Properties();

                props.setProperty("user", "TEST_DATA");

                props.setProperty("password", "TEST");

                props.setProperty("oracle.net.ssl_cipher_suites", "("

                        + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )");

                try (Connection con = DriverManager.getConnection(databaseSSLUrl, props);

                        PreparedStatement pst = con.prepareStatement("SELECT * FROM TBL_SSL_TEST");

                        ResultSet rs = pst.executeQuery()) {

                    while (rs.next()) {

                        System.out.println(rs.getString(1));

                    }

                }

            } catch (SQLException e) {

                System.out.println(e.toString());

            }

    When we run the above sample, we got the following Exception

               "java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection"

    So I checked In the listener.log, it says

    • (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.0.153)(PORT=10023)) * * 542 TNS-00542: SSL Handshake failed TNS-12560: TNS:protocol adapter error
  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 16, 2019 1:45PM

    Can you please confirm if this is limited to Java Application?

    Does the SSL works from DB directly?

    Also please confirm if this works once you remove the set of Cipher suites in your code?

    What PSU level you are on?

  • JijoAC
    JijoAC Member Posts: 9
    edited Jul 17, 2019 1:40AM

    Thank you,

    This problem is limited to Java application, I can connect from sqlplus

    When we remove all cipher suites we get

    1. java.sql.SQLRecoverableException: IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    the sample code in the document   https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf    using the cipher suites are,

         props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)");       

    When we use this we got following exception

    1. java.sql.SQLRecoverableException: IO Error: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

    So I changed to

    props.setProperty("oracle.net.ssl_cipher_suites", "("

                        + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "

                        + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )");

    Then we got,

    java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection

    We are using OPATCH_VERSION:12.2.0.1.6

Sign In or Register to comment.