Skip Headers
Oracle® Application Server Administrator's Guide
10g Release 2 (10.1.2)
B13995-06
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

18 Troubleshooting SSL

This chapter lists common questions and errors related to SSL.

It contains these topics:

18.1 Name-Based Virtual Hosting and SSL

You cannot use name-based virtual hosting with SSL. This is a limitation of SSL.

If you need to configure multiple virtual hosts with SSL, here are some possible workarounds:

18.2 Common ORA Errors Related to SSL

You may need to enable Oracle Net tracing to determine the cause of an error. For information about setting tracing parameters for Oracle Net, see Oracle Database Net Services Administrator's Guide.

ORA-28759: Failure to Open File
Cause: The system could not open the specified file. Typically, this error occurs because the Oracle wallet cannot be found.
Action: Check the following:
  • Ensure that the Oracle wallet is located either in the default location (ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default) or in the location specified by the SSLWallet directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf file. This should be the same directory location where you saved the wallet.

  • Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason.

  • Ensure that auto login was enabled when you saved the Oracle wallet. See Section 15.1.4.14, "Using Auto Login" for details.

ORA-28786: Decryption of Encrypted Private Key Failure
Cause: An incorrect password was used to decrypt an encrypted private key. Frequently, this happens because an auto login wallet is not being used.
Action: Use Oracle Wallet Manager to turn the auto login feature on for the wallet. Then re-save the wallet. See Section 15.1.4.14, "Using Auto Login".
ORA-28858: SSL Protocol Error
Cause: This is a generic error that can occur during SSL handshake negotiation between two processes.
Action: Enable Oracle Net tracing and attempt the connection again to produce trace output. Then contact Oracle customer support with the trace output.
ORA-28859 SSL Negotiation Failure
Cause: An error occurred during the negotiation between two processes as part of the SSL protocol. This error can occur when two sides of the connection do not support a common cipher suite.
Action: Ensure that the cipher suites configured on Oracle HTTP Server and on the client (which is the browser) are compatible for both client and server.

To check the cipher suites configured on Oracle HTTP Server, check the SSLCipherSuite directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf file.

To check the cipher suites configured on your browser, see the documentation for your browser. Each type of browser has its own way of setting the cipher suite.

You should also ensure that the SSL versions on both the client and the server match, or are compatible. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.

ORA-28862: SSL Connection Failed
Cause: This error occurred because the peer closed the connection.
Action: Check the following:
  • Ensure that the Oracle wallet is located either in the default location (ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default) or in the location specified by the SSLWallet directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf file. This should be the same directory location where you saved the wallet.

  • Check that the cipher suites are compatible for both client and server. See "ORA-28859 SSL Negotiation Failure" for details on how to check the cipher suite.

  • Check that the names of the cipher suites are spelled correctly.

  • Ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.

  • For more diagnostic information, enable Oracle Net tracing on the peer.

ORA-28865: SSL Connection Closed
Cause: The SSL connection closed because of an error in the underlying transport layer, or because the peer process quit unexpectedly.
Action: Check the following:
  • Ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.

  • If you are using a Diffie-Hellman anonymous cipher suite and the SSLVerifyClient directive is set to require in the ssl.conf file, then the client does not pass its certificate to the server. When the server does not receive the client's certificate, the server cannot authenticate the client so the connection is closed. To resolve this, use a different cipher suite, or set the SSLVerifyClient directive to none or optional.

    See "ORA-28859 SSL Negotiation Failure" for details on how to check the cipher suite.

  • Enable Oracle Net tracing and check the trace output for network errors.

ORA-28868: Peer Certificate Chain Check Failed
Cause: When the peer presented the certificate chain, it was checked and that check failed. This failure can be caused by a number of problems, including:
  • One of the certificates in the chain is expired.

  • A certificate authority for one of the certificates in the chain is not recognized as a trust point.

  • The signature in one of the certificates cannot be verified.

Action: Follow the instructions in Section 15.1.4.3, "Opening an Existing Wallet" to use Oracle Wallet Manager to open your wallet, and check the following:
  • Ensure that all of the certificates installed in your wallet are current (not expired).

  • Ensure that a certificate authority's certificate from your peer's certificate chain is added as a trusted certificate in your wallet. See Section 15.1.5.2.1, "Importing a Trusted Certificate" to use Oracle Wallet Manager to import a trusted certificate.

ORA-28885: No certificate with the required key usage found.
Cause: Your certificate was not created with the appropriate X.509 Version 3 key usage extension.
Action: Use Oracle Wallet Manager to check the certificate's key usage. See Table 15-4, "X.509 Version 3 KeyUsage Extension Types, Values, and Descriptions".
ORA-29024: Certificate Validation Failure
Cause: The certificate sent by the other side could not be validated. This may occur if the certificate has expired, has been revoked, or is invalid for another reason.
Action: Check the following:
ORA-29223: Cannot Create Certificate Chain
Cause: A certificate chain cannot be created with the existing trust points for the certificate being installed. Typically, this error is returned when the peer does not give the complete chain and you do not have the appropriate trust points to complete it.
Action: Use Oracle Wallet Manager to install the trust points that are required to complete the chain. See Section 15.1.5.2.1, "Importing a Trusted Certificate".