16 Troubleshooting SSL

This chapter lists common questions and errors related to SSL.

It contains these topics:

Name-Based Virtual Hosting and SSL
Common ORA Errors Related to SSL

16.1 Name-Based Virtual Hosting and SSL

You cannot use name-based virtual hosting with SSL. This is a limitation of SSL.

If you need to configure multiple virtual hosts with SSL, here are some possible workarounds:

Use IP-based virtual hosting. To do this, you configure multiple IP addresses for your computer, and map each IP address to a different virtual name.
If you are willing to use non-standard port numbers, you can associate the same IP with different names, but you must configure each name with a different port number (for example, name1:443, name2:553). This enables you to use the same IP, but you have to use non-standard port numbers. Only one name can use the standard 443 port; other names must use other port numbers.

16.2 Common ORA Errors Related to SSL

You may need to enable Oracle Net tracing to determine the cause of an error. For information about setting tracing parameters for Oracle Net, see Oracle Database Net Services Administrator's Guide.

ORA-28759: Failure to Open File

Cause: The system could not open the specified file. Typically, this error occurs because the Oracle wallet cannot be found.

Action: Check the following:

Ensure that the Oracle wallet is located either in the default location (ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default) or in the location specified by the SSLWallet directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf file. This should be the same directory location where you saved the wallet.
Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason.
Ensure that auto login was enabled when you saved the Oracle wallet. See Section 13.1.4.14, "Using Auto Login" for details.

ORA-28786: Decryption of Encrypted Private Key Failure: Cause: An incorrect password was used to decrypt an encrypted private key. Frequently, this happens because an auto login wallet is not being used.; Action: Use Oracle Wallet Manager to turn the auto login feature on for the wallet. Then re-save the wallet. See Section 13.1.4.14, "Using Auto Login".

ORA-28858: SSL Protocol Error: Cause: This is a generic error that can occur during SSL handshake negotiation between two processes.; Action: Enable Oracle Net tracing and attempt the connection again to produce trace output. Then contact Oracle customer support with the trace output.

ORA-28859 SSL Negotiation Failure: Cause: An error occurred during the negotiation between two processes as part of the SSL protocol. This error can occur when two sides of the connection do not support a common cipher suite.; Action: Ensure that the cipher suites configured on Oracle HTTP Server and on the client (which is the browser) are compatible for both client and server.
To check the cipher suites configured on Oracle HTTP Server, check the SSLCipherSuite directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf file.

To check the cipher suites configured on your browser, see the documentation for your browser. Each type of browser has its own way of setting the cipher suite.

You should also ensure that the SSL versions on both the client and the server match, or are compatible. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.

ORA-28862: SSL Connection Failed

Cause: This error occurred because the peer closed the connection.

Action: Check the following:

Ensure that the Oracle wallet is located either in the default location (ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default) or in the location specified by the SSLWallet directive in the ORACLE_HOME/Apache/Apache/conf/ssl.conf file. This should be the same directory location where you saved the wallet.
Check that the cipher suites are compatible for both client and server. See "ORA-28859 SSL Negotiation Failure" for details on how to check the cipher suite.
Check that the names of the cipher suites are spelled correctly.
Ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.
For more diagnostic information, enable Oracle Net tracing on the peer.

ORA-28865: SSL Connection Closed

Cause: The SSL connection closed because of an error in the underlying transport layer, or because the peer process quit unexpectedly.

Action: Check the following:

Ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail.
If you are using a Diffie-Hellman anonymous cipher suite and the SSLVerifyClient directive is set to require in the ssl.conf file, then the client does not pass its certificate to the server. When the server does not receive the client's certificate, the server cannot authenticate the client so the connection is closed. To resolve this, use a different cipher suite, or set the SSLVerifyClient directive to none or optional.

See "ORA-28859 SSL Negotiation Failure" for details on how to check the cipher suite.
Enable Oracle Net tracing and check the trace output for network errors.

ORA-28868: Peer Certificate Chain Check Failed

Cause: When the peer presented the certificate chain, it was checked and that check failed. This failure can be caused by a number of problems, including:

One of the certificates in the chain is expired.
A certificate authority for one of the certificates in the chain is not recognized as a trust point.
The signature in one of the certificates cannot be verified.

Action: Follow the instructions in Section 13.1.4.3, "Opening an Existing Wallet" to use Oracle Wallet Manager to open your wallet, and check the following:

Ensure that all of the certificates installed in your wallet are current (not expired).
Ensure that a certificate authority's certificate from your peer's certificate chain is added as a trusted certificate in your wallet. See Section 13.1.5.2.1, "Importing a Trusted Certificate" to use Oracle Wallet Manager to import a trusted certificate.

ORA-28885: No certificate with the required key usage found.: Cause: Your certificate was not created with the appropriate X.509 Version 3 key usage extension.; Action: Use Oracle Wallet Manager to check the certificate's key usage. See Table 13-4, "X.509 Version 3 KeyUsage Extension Types, Values, and Descriptions".

ORA-29024: Certificate Validation Failure

Cause: The certificate sent by the other side could not be validated. This may occur if the certificate has expired, has been revoked, or is invalid for another reason.

Action: Check the following:

Check the certificate to determine whether it is valid. If necessary, get a new certificate, inform the sender that her certificate has failed, or resend.
Check to ensure that the server's wallet has the appropriate trust points to validate the client's certificate. If it does not, then use Oracle Wallet Manager to import the appropriate trust point into the wallet. See Section 13.1.5.2.1, "Importing a Trusted Certificate" for details.
Ensure that the certificate has not been revoked and that certificate revocation list (CRL) checking is enabled. See Section 13.2.5, "Managing Certificate Revocation Lists (CRLs) with orapki Utility".

ORA-29223: Cannot Create Certificate Chain: Cause: A certificate chain cannot be created with the existing trust points for the certificate being installed. Typically, this error is returned when the peer does not give the complete chain and you do not have the appropriate trust points to complete it.; Action: Use Oracle Wallet Manager to install the trust points that are required to complete the chain. See Section 13.1.5.2.1, "Importing a Trusted Certificate".