Oracle® Application Server Administrator's Guide
10g Release 2 (10.1.2) B13995-06 |
|
Previous |
Next |
This chapter lists common questions and errors related to SSL.
It contains these topics:
You cannot use name-based virtual hosting with SSL. This is a limitation of SSL.
If you need to configure multiple virtual hosts with SSL, here are some possible workarounds:
Use IP-based virtual hosting. To do this, you configure multiple IP addresses for your computer, and map each IP address to a different virtual name.
If you are willing to use non-standard port numbers, you can associate the same IP with different names, but you must configure each name with a different port number (for example, name1
:443
, name2
:553
). This enables you to use the same IP, but you have to use non-standard port numbers. Only one name can use the standard 443 port; other names must use other port numbers.
You may need to enable Oracle Net tracing to determine the cause of an error. For information about setting tracing parameters for Oracle Net, see Oracle Database Net Services Administrator's Guide.
Ensure that the Oracle wallet is located either in the default location (ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default
) or in the location specified by the SSLWallet
directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf
file. This should be the same directory location where you saved the wallet.
Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason.
Ensure that auto login was enabled when you saved the Oracle wallet. See Section 15.1.4.14, "Using Auto Login" for details.
To check the cipher suites configured on Oracle HTTP Server, check the SSLCipherSuite
directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf
file.
To check the cipher suites configured on your browser, see the documentation for your browser. Each type of browser has its own way of setting the cipher suite.
You should also ensure that the SSL versions on both the client and the server match, or are compatible. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.
Ensure that the Oracle wallet is located either in the default location (ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default
) or in the location specified by the SSLWallet
directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf
file. This should be the same directory location where you saved the wallet.
Check that the cipher suites are compatible for both client and server. See "ORA-28859 SSL Negotiation Failure" for details on how to check the cipher suite.
Check that the names of the cipher suites are spelled correctly.
Ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.
For more diagnostic information, enable Oracle Net tracing on the peer.
Ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.
If you are using a Diffie-Hellman anonymous cipher suite and the SSLVerifyClient
directive is set to require
in the ssl.conf
file, then the client does not pass its certificate to the server. When the server does not receive the client's certificate, the server cannot authenticate the client so the connection is closed. To resolve this, use a different cipher suite, or set the SSLVerifyClient
directive to none
or optional
.
See "ORA-28859 SSL Negotiation Failure" for details on how to check the cipher suite.
Enable Oracle Net tracing and check the trace output for network errors.
One of the certificates in the chain is expired.
A certificate authority for one of the certificates in the chain is not recognized as a trust point.
The signature in one of the certificates cannot be verified.
Ensure that all of the certificates installed in your wallet are current (not expired).
Ensure that a certificate authority's certificate from your peer's certificate chain is added as a trusted certificate in your wallet. See Section 15.1.5.2.1, "Importing a Trusted Certificate" to use Oracle Wallet Manager to import a trusted certificate.
Check the certificate to determine whether it is valid. If necessary, get a new certificate, inform the sender that her certificate has failed, or resend.
Check to ensure that the server's wallet has the appropriate trust points to validate the client's certificate. If it does not, then use Oracle Wallet Manager to import the appropriate trust point into the wallet. See Section 15.1.5.2.1, "Importing a Trusted Certificate" for details.
Ensure that the certificate has not been revoked and that certificate revocation list (CRL) checking is enabled. See Section 15.2.5, "Managing Certificate Revocation Lists (CRLs) with the orapki Utility".