Datatombraider's Blog

2011/01/31

ASO and SSL

Filed under: Oracle — datatombraider @ 19:31

The Advanced Security Option, an option with costs of course, has the nice feature to secure database connections using SSL (authentication and encryption). Unfortunately TLS does not work (11.2.0.2 64bit on RHEL5). if you select TLS in NETMGR, it inserts ssl_version=3.1 in sqlnet.ora but SQL*Net has some problems with it. All connections fail with ‘ORA-12560: TNS:protocol adapter error’ which doesn’t say much.

sqlnet.log has some more details:

VERSION INFORMATION:
TNS for Linux: Version 11.2.0.2.0 – Production
sdp
Time: 29-JAN-2011 15:57:53
Tracing to file: ^D<9B><9B>
Tns error struct:
ns main err code: 12560

TNS-12560: TNS:protocol adapter error
ns secondary err code: 0
nt main err code: 549

TNS-00549: value specified for the SSL version is not valid
nt secondary err code: 0
nt OS err code: 0

note the tracefile name, looks like uninitialized memory to me but that’s not important for now. basically the ssl version is not valid.

the trace file (level=support) has some more funny information:

2011-01-29 15:57:53.857338 : ntzGetStringParameter:found value for “ssl_version” configuration parameter: “3.1”
2011-01-29 15:57:53.857356 : ntzGetStringParameter:exit
2011-01-29 15:57:53.857373 : ntzConvertToNumeric:entry
2011-01-29 15:57:53.857400 : ntzConvertToNumeric:value specified for SSL client authentication (“3.1”) is not boolean
2011-01-29 15:57:53.857427 : ntzConvertToNumeric:failed with error 549

it seems only numeric values are allowed and because NETMGR put ‘3.1’ in it, the parser gets confused (i didn’t configure ssl_client_authentication at all). the workaround is not to specify ssl_version but the ssl_ciphers used by TLS, for instance

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA)

After making the changes on client and server, i can establish ssl-connections using TLS ciphers.

It’s actually a known problem (Bug 9682150: SSL_VERSION=3.1 IS CAUSING ORA-12560 IN SSL AUTHENTICATION), opened 4-May-2010 but still not fixed, which is a shame.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.