Advanced Security and SSL

List,
I'm attempting to setup SSL connectivity to a test database (10.2.0.1 on AIX 5.3), but I keep getting an error on the client (10.2.0.1 on Windows XP): ORA-28860: Fatal SSL error.

I've checked the sqlnet.ora files to make sure they match, and I've checked the wallets to make sure the trusted certificate on the client matches the signer for the server certificate. A client trace didn't give any useful information, but a trace of the listener on the server revealed this: ntzdosecneg: SSL handshake failed with error 29024

Of course, useful information about these errors seems sparse. If that's an ORA error, then it would refer to a "Certificate validation failure", which doesn't make sense because the client shouldn't be sending a certificate to the server. I've included relavent portions of config files below for reference:

Client sqlnet.ora:

SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_SERVER_DN_MATCH = No
SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

Server sqlnet.ora:
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=(<list of ip addresses, including the client>)

SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
SSL_VERSION=3.0
SSL_CLIENT_AUTHENTICATION=FALSE

TCPS is set as the protocol in the server's listener.ora and client's tnsnames.ora. Interestingly enough, I have no trouble connecting to the database via TCPS while on the server. Any ideas?

--

Jason Heinrich
Oracle Developer/DBA

--

http://www.freelists.org/webpage/oracle-l Received on Fri Sep 21 2007 - 15:49:07 CDT