Oracle JDBC thin driver SSL

Question

I m trying to configure SSL for oracle jdbc and im following the document http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf

I have oracle server and client in my own machine. This is for a POC.

I m using case #1 use SSL for encryption only. My listener.ora looks like

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))
    )
  )

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\xxx\product\11.2.0\dbhome_2\server))) 

SSL_CLIENT_AUTHENTICATION=FALSE 

my sqlnet.ora looks like

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\Priya\product\11.2.0\dbhome_2\server)))

SSL_CLIENT_AUTHENTICATION=FALSE 

my tnsnames.ora on the oracle server

ORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))     
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) 
  )

i even updated the tnsnames.ora on the client

ORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))     
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) 
  )

My Java.security

security.provider.10=oracle.security.pki.OraclePKIProvider

I created server wallet autologin using orapki utility.

My sample code:

String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))";

System.out.println("set properties");
Properties props = new Properties();
props.setProperty("user", "XXXXX");
props.setProperty("password", "XXXXX");
props.setProperty("oracle.net.ssl_cipher_suites",
                    "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, "
                        + "SSL_DH_anon_WITH_RC4_128_MD5,"
                        + "SSL_DH_anon_WITH_DES_CBC_SHA)");

System.out.println("get connection");
Connection con = DriverManager.getConnection(url, props);
System.out.println("got a connection");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select sysdate from dual");
while (rs.next()) {
    System.out.println("result = "+rs.getString(1));
}
rs.close();
stmt.close();
con.close();

and im getting following error:

set properties
get connection
trustStore is: C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4eb200670c035d4f
  Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036
...............
.............
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1441881635 bytes = { 236, 186, 144, 113, 184, 49, 37, 30, 105, 22, 80, 151, 167, 186, 10, 227, 160, 97, 62, 9, 21, 123, 5, 153, 25, 55, 40, 140 }
Session ID:  {}
Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes:  len = 56
0000: 01 00 00 34 03 01 56 F1   5E 23 EC BA 90 71 B8 31  ...4..V.^#...q.1
0010: 25 1E 69 16 50 97 A7 BA   0A E3 A0 61 3E 09 15 7B  %.i.P......a>...
0020: 05 99 19 37 28 8C 00 00   06 00 1B 00 18 00 1A 01  ...7(...........
0030: 00 00 05 FF 01 00 01 00                            ........
main, WRITE: TLSv1 Handshake, length = 56
[write] MD5 and SHA1 hashes:  len = 53
0000: 01 03 01 00 0C 00 00 00   20 00 00 1B 00 00 18 00  ........ .......
0010: 00 1A 00 00 FF 56 F1 5E   23 EC BA 90 71 B8 31 25  .....V.^#...q.1%
0020: 1E 69 16 50 97 A7 BA 0A   E3 A0 61 3E 09 15 7B 05  .i.P......a>....
0030: 99 19 37 28 8C                                     ..7(.
main, WRITE: SSLv2 client hello message, length = 53
[Raw write]: length = 55
0000: 80 35 01 03 01 00 0C 00   00 00 20 00 00 1B 00 00  .5........ .....
0010: 18 00 00 1A 00 00 FF 56   F1 5E 23 EC BA 90 71 B8  .......V.^#...q.
0020: 31 25 1E 69 16 50 97 A7   BA 0A E3 A0 61 3E 09 15  1%.i.P......a>..
0030: 7B 05 99 19 37 28 8C                               ....7(.
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: Software caused connection abort: recv failed
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:752)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:657)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:560)
    at java.sql.DriverManager.getConnection(DriverManager.java:582)
    at java.sql.DriverManager.getConnection(DriverManager.java:154)
    at tr.com.pos.genius.background.Test.main(Test.java:75)
Caused by: java.net.SocketException: Software caused connection abort: recv failed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:129)
    at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:422)
    at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:460)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
    at oracle.net.ns.Packet.send(Packet.java:419)
    at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241)
    at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:157)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496)
    ... 6 more

I m using java 6 and Oracle 11g, ojdbc6.jar .

I ma newbie with SSL. Any pointers or suggestions will be helpful.

Answer 1

I think you're getting this error because of the client sending SSLv2 client hello which has been disabled in the server. So the server aborts the handshake immediately. Try to set this property to force TLSv1.0 to be used which will prevent the client from sending this SSLv2 client hello .

props.setProperty("oracle.net.ssl_version", "1.0");

Note that anonymous cipher suites have been disabled in Oracle 12c so you should refrain from using them (yes the whitepaper you're referring to in your question is a bit obsolete).