Understanding and Investigating SSL Issues Support Pattern
(Doc ID 1078957.1)
Last updated on DECEMBER 19, 2022
Applies to:
Oracle WebLogic Server - Version 6.1 and laterInformation in this document applies to any platform.
Purpose
This document is a support pattern describing the SSL implementation in WebLogic Server and provides tips on how to troubleshoot related problems
Problem Description
Two communicating parties, using the SSL (Secure Socket Layer) protocol, cannot establish a connection due to an SSL failure.
Troubleshooting Steps
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Problem Description |
| Troubleshooting Steps |
| What is SSL and how does it work? |
| What is PKC and how does it work? |
| What is a Certificate? |
| What is a Certificate Authority? |
| What is a SSL handshake? |
| Certificate Formats |
| PEM |
| DER |
| PKCS#12 |
| Generating Demo Certificates |
| Step 1 - Create demo private keys |
| keytool (from your jdk) |
| Certificate Servlet from WebLogic (deprecated in 7.0) |
| Step 2 - Sign the public key by a trusted CA |
| Converting Certificate Formats |
| To PKCS#12 (Mozilla, IE etc.) from PEM |
| From PKCS#12 to PEM |
| Look into a Certificate |
| Other commands: |
| Configure WLS to use your keystore (one way SSL only) |
| Problem Troubleshooting |
| 1. Know the failure: Enable the SSL Debug Flags to track SSL issues |
| 2. What does a correct handshake look like? |
| First SSL Handshake |
| Server Side |
| Client Side |
| SSL resuming a session |
| Server Side |
| Client Side |
| Handshake doing client authentication (2-way SSL) |
| Server Side |
| Client Side |
| 3. Analyze logs - determine the failure |
| General Certificate |
| Solution |
| Failed hostname verification check |
| Client Side |
| Solution |
| CERT_CHAIN_UNTRUSTED |
| Client Side |
| Solution |
| BAD_CERTIFICATE (not signed properly causing SSL handshake failure) |
| Client Side |
| Server Side |
| Solution |
| CLOSE_NOTIFY |
| HANDSHAKE_FAILURE |
| Server Side |
| Solution |
| Need further help? |