Forum Stats

  • 3,839,357 Users
  • 2,262,486 Discussions
  • 7,900,949 Comments

Discussions

"ORA-28860: Fatal SSL error" When Running UTL_HTTP with TLS v1.2 on Oracle 11.2.0.4

We are trying to use the UTL_HTTP package in Oracle Database 11.2.0.4 and getting an error:

SQL> @/tmp/teste.sql

BEGIN

*

ERROR at line 1:

ORA-29273: HTTP request failed

ORA-06512: at "SYS.UTL_HTTP", line 1130

ORA-28860: Fatal SSL error

ORA-06512: at line 12


We created the wallet and imported the certificate:

mkdir -p $ORACLE_BASE/admin/$ORACLE_SID/wallet

orapki wallet create -wallet $ORACLE_BASE/admin/$ORACLE_SID/wallet -pwd <password>

orapki wallet add -wallet $ORACLE_BASE/admin/$ORACLE_SID/wallet -trusted_cert -pwd <password> -cert cert_cloud.crt


The content of the script:

BEGIN

DECLARE

http_req utl_http.req;

http_resp utl_http.resp;

-- Variaveis do perfil

w_pathWallet VARCHAR2(500) := 'file:$ORACLE_BASE/admin/$ORACLE_SID/wallet';

w_pwdWallet VARCHAR2(500) := '<password>';


BEGIN

Utl_Http.Set_Wallet(w_pathWallet, w_pwdWallet);

Utl_Http.set_transfer_timeout(300);

http_req := utl_http.begin_request( '<https webservice address>'

, 'POST'

, 'HTTP/1.1');

utl_http.set_authentication (http_req, '00454733','IC3R8T');

utl_http.set_header(http_req, 'Content-Type', 'application/xml; charset=utf-8');

http_resp := UTL_HTTP.get_response(http_req);

dbms_output.put_line('HTTP response status code: ' || http_resp.status_code);

dbms_output.put_line('HTTP response reason phrase: ' || http_resp.reason_phrase);

END;

END;

/


The same script successfully runs on databases 12cR2 and 19c.

We did some test monitoring with tcpdump and it seems to be some error in the handshake phase. The successful test on 12cR2 uses TLS v1.2, while the test with error on 11gR2 returns an error showing TLS v1.0

According to the notes we analyzed in the knowledge base, TLS v1.2 should be supported in Oracle Database 11.2.0.4 as long as the last PSU is applied (in this case we have PSU APR/2021).


Would 11.2.0.4 be unsupported working with TLS v1.2?

Does anyone have any suggestions for further investigation beyond the one mentioned?

Does anyone use UTL_HTTP on Oracle 11.2.0.4 with TLS v1.2?

Answers

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,106 Silver Trophy

    I have a client that is still using 11.2.0.4 and back in 2018 we added in support for a remote HTTPS call using TLS v1.2. At that point in time, the MESv405 / MESv415 was still a separate one-off patch for 11.2.0.4. I had the appropriate patch applied (patch 24975424) after having SR discussions with Oracle Support staff. It is still working today, though I've lost track of what PSU that RAC DB is up to. It is currently scheduled for migration to 19c later this year.

    Not the answer you were looking for but proof that you can use 11.2.0.4 for TLS v1.2 HTTPS connections.