6 Replies Latest reply on Jul 17, 2019 5:40 AM by JijoAC

    USE SSL FOR ENCRYPTION ONLY in Oracle12c failed

    JijoAC

      We are trying to implement SSL encryption between the oracle12c server and java thin client. we followed the steps described in https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

      we are trying CASE #1: USE SSL FOR ENCRYPTION ONLY, when we implement

      First, we got error

      java.sql.SQLRecoverableException: IO Error: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

      So we updated cipher suite list

      props.setProperty("oracle.net.ssl_cipher_suites", "(" + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, " + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, " + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )"); 

      Now we are getting "java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection"

      In the listener.log

      • (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.0.153)(PORT=10023)) * * 542 TNS-00542: SSL Handshake failed TNS-12560: TNS:protocol adapter error

      Is there any difference in the Oracle12c?

        • 1. Re: USE SSL FOR ENCRYPTION ONLY in Oracle12c failed
          Gaurav Kamal - Oracle-Oracle

          This looks like more of the JDBC connection issue.

           

          Is the connection failing from DB as well?

           

          What does the sqlnet.ora file look like?

           

          What is the DB and the PSU version?

          • 2. Re: USE SSL FOR ENCRYPTION ONLY in Oracle12c failed
            JijoAC

            We successfully connected JDBC connection using CASE #2: USE SSL FOR ENCRYPTION AND SERVER AUTHENTICATION by set the truststore details.

            But we are not able to connect using CASE #1: USE SSL FOR ENCRYPTION ONLY, In this option we are using Diffie-Hellman anonymous authentication and not set any “truststore” or “keystore”.

             

            Our sqlnet.ora is,

             

            SQLNET.AUTHENTICATION_SERVICES = NTS

            NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)

            WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=D:\Oracle12c\product\12.2.0\dbhome_1\bin\server)))

            SSL_CLIENT_AUTHENTICATION = FALSE

             

            We are using Oracle 12c

            RDBMS_12.2.0.1.0_WINDOWS.X64_170210.4

            • 3. Re: USE SSL FOR ENCRYPTION ONLY in Oracle12c failed
              Gaurav Kamal - Oracle-Oracle

              What document you are following and what errors you are getting?

              Diffie-Hellman key encryption and TLS JDBC compatibility (Doc ID 2288489.1)

               

              Provide the complete command and the errors you are encountering from the DB.

              Are you on the latest PSU / RU / BP?

              • 4. Re: USE SSL FOR ENCRYPTION ONLY in Oracle12c failed
                JijoAC

                Thank you Mr. Gaurav Kamal,

                I am using "SSL With Oracle JDBC Thin Driver" document from https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

                I have downloaded Oracle12c from https://www.oracle.com/technetwork/database/enterprise-edition/downloads/oracle12c-windows-3633015.html

                Not using any PSU. Oracle version is,

                     Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

                     PL/SQL Release 12.2.0.1.0 - Production

                     "CORE    12.2.0.1.0    Production"

                     TNS for 64-bit Windows: Version 12.2.0.1.0 - Production

                     NLSRTL Version 12.2.0.1.0 - Production

                 

                I am afraid I cannot open the doc you specified as I have no

                My aim is to Use SSL for communication encryption in our java sample.

                Here is our java code

                 

                try {

                          String databaseSSLUrl = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.0.10)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.Test.local)))";

                            Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider(), 3);

                            Properties props = new Properties();

                            props.setProperty("user", "TEST_DATA");

                            props.setProperty("password", "TEST");

                            props.setProperty("oracle.net.ssl_cipher_suites", "("

                                    + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "

                                    + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "

                                    + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "

                                    + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "

                                    + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "

                                    + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )");

                 

                            try (Connection con = DriverManager.getConnection(databaseSSLUrl, props);

                                    PreparedStatement pst = con.prepareStatement("SELECT * FROM TBL_SSL_TEST");

                                    ResultSet rs = pst.executeQuery()) {

                                while (rs.next()) {

                                    System.out.println(rs.getString(1));

                                }

                            }

                        } catch (SQLException e) {

                            System.out.println(e.toString());

                        }

                 

                When we run the above sample, we got the following Exception

                           "java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection"

                 

                So I checked In the listener.log, it says

                • (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.0.153)(PORT=10023)) * * 542 TNS-00542: SSL Handshake failed TNS-12560: TNS:protocol adapter error
                • 5. Re: USE SSL FOR ENCRYPTION ONLY in Oracle12c failed
                  Gaurav Kamal - Oracle-Oracle

                  Can you please confirm if this is limited to Java Application?

                   

                  Does the SSL works from DB directly?

                   

                  Also please confirm if this works once you remove the set of Cipher suites in your code?

                   

                  What PSU level you are on?

                  • 6. Re: USE SSL FOR ENCRYPTION ONLY in Oracle12c failed
                    JijoAC

                    Thank you,

                    This problem is limited to Java application, I can connect from sqlplus

                    When we remove all cipher suites we get

                    1. java.sql.SQLRecoverableException: IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                    the sample code in the document   https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf    using the cipher suites are,

                         props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)");       

                     

                    When we use this we got following exception

                    1. java.sql.SQLRecoverableException: IO Error: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

                     

                    So I changed to

                    props.setProperty("oracle.net.ssl_cipher_suites", "("

                                        + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "

                                        + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "

                                        + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "

                                        + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "

                                        + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "

                                        + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )");

                    Then we got,

                    java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection

                     

                    We are using OPATCH_VERSION:12.2.0.1.6