Oracle JDBC thin driver SSL

Question

I m trying to configure SSL for oracle jdbc and i m following the document http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf

I have oracle server and client in my own machine. This is for a POC.

I m using case #1 use SSL for encryption only. My listener.ora looks like

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))
    )
  )

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\xxx\product\11.2.0\dbhome_2\server))) 

SSL_CLIENT_AUTHENTICATION=FALSE

my sqlnet.ora looks like

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\Priya\product\11.2.0\dbhome_2\server)))

SSL_CLIENT_AUTHENTICATION=FALSE

my tnsnames.ora on the oracle server

ORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))     
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) 
  )

i even updated the tnsnames.ora on the client

ORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))     
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) 
  )

My Java.security

security.provider.10=oracle.security.pki.OraclePKIProvider

I created server wallet autologin using orapki utility.

My sample code:

String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))";

System.out.println("set properties");
Properties props = new Properties();
props.setProperty("user", "XXXXX");
props.setProperty("password", "XXXXX");
props.setProperty("oracle.net.ssl_cipher_suites",
                    "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, "
                        + "SSL_DH_anon_WITH_RC4_128_MD5,"
                        + "SSL_DH_anon_WITH_DES_CBC_SHA)");

System.out.println("get connection");
Connection con = DriverManager.getConnection(url, props);
System.out.println("got a connection");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select sysdate from dual");
while (rs.next()) {
    System.out.println("result = "+rs.getString(1));
}
rs.close();
stmt.close();
con.close();

and i m getting following error:

set properties
get connection
trustStore is: C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4eb200670c035d4f
  Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036
...............
.............
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1441881635 bytes = { 236, 186, 144, 113, 184, 49, 37, 30, 105, 22, 80, 151, 167, 186, 10, 227, 160, 97, 62, 9, 21, 123, 5, 153, 25, 55, 40, 140 }
Session ID:  {}
Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes:  len = 56
0000: 01 00 00 34 03 01 56 F1   5E 23 EC BA 90 71 B8 31  ...4..V.^#...q.1
0010: 25 1E 69 16 50 97 A7 BA   0A E3 A0 61 3E 09 15 7B  %.i.P......a>...
0020: 05 99 19 37 28 8C 00 00   06 00 1B 00 18 00 1A 01  ...7(...........
0030: 00 00 05 FF 01 00 01 00                            ........
main, WRITE: TLSv1 Handshake, length = 56
[write] MD5 and SHA1 hashes:  len = 53
0000: 01 03 01 00 0C 00 00 00   20 00 00 1B 00 00 18 00  ........ .......
0010: 00 1A 00 00 FF 56 F1 5E   23 EC BA 90 71 B8 31 25  .....V.^#...q.1%
0020: 1E 69 16 50 97 A7 BA 0A   E3 A0 61 3E 09 15 7B 05  .i.P......a>....
0030: 99 19 37 28 8C                                     ..7(.
main, WRITE: SSLv2 client hello message, length = 53
[Raw write]: length = 55
0000: 80 35 01 03 01 00 0C 00   00 00 20 00 00 1B 00 00  .5........ .....
0010: 18 00 00 1A 00 00 FF 56   F1 5E 23 EC BA 90 71 B8  .......V.^#...q.
0020: 31 25 1E 69 16 50 97 A7   BA 0A E3 A0 61 3E 09 15  1%.i.P......a>..
0030: 7B 05 99 19 37 28 8C                               ....7(.
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: Software caused connection abort: recv failed
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:752)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:657)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:560)
    at java.sql.DriverManager.getConnection(DriverManager.java:582)
    at java.sql.DriverManager.getConnection(DriverManager.java:154)
    at tr.com.pos.genius.background.Test.main(Test.java:75)
Caused by: java.net.SocketException: Software caused connection abort: recv failed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:129)
    at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:422)
    at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:460)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
    at oracle.net.ns.Packet.send(Packet.java:419)
    at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241)
    at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:157)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496)
    ... 6 more

I m using java 6 and Oracle 11g, ojdbc6.jar.

I m a newbie with SSL. Any pointers or suggestions will be helpful.

No i m getting ORA-12570: TNS:packet reader failure when using sqlplus. Unfortunately our prj is in java 6. — Matt
Just to rule out the obvious, has your listener been restarted to pick up any changes you've made? Does lsnrctl status show what you expect? Can you do a test ssh -p 2484 localhost and see what that does? Wondering if there might be a local firewall that you need a poke a hole through for that port. — Alex Poole
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521))) Version 11.2.0.1.0 - Prod Start Date 22-MAR-2016 10:55:59 Uptime1 days 0 hr. 2 min. 0 sec Trace Level off Security ON: Local OS Authentication SNMPOFF Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=127.0.0.1)(PORT=2484))) Services Summary...Service "CLRExtProc" has 1 instance(s). Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) for this service.. — Matt

Jean de Lavarene Jean de Lavarene · Accepted Answer · 2016-03-25T13:11:24

I think you're getting this error because of the client sending SSLv2 client hello which has been disabled in the server. So the server aborts the handshake immediately. Try to set this property to force TLSv1.0 to be used which will prevent the client from sending this SSLv2 client hello.

props.setProperty("oracle.net.ssl_version", "1.0");

Note that anonymous cipher suites have been disabled in Oracle 12c so you should refrain from using them (yes the whitepaper you're referring to in your question is a bit obsolete).

Oracle JDBC thin driver SSL

1 Answers