SSL-Encrypted Connection to 11.2.0.3 Database Fails With "java.sql.SQLRecoverableException: IO Error: Received fatal alert: handshake_failure"

(Doc ID 1434966.1)

Last updated on AUGUST 31, 2017

Applies to:

JDBC - Version 11.2.0.3.0 and later
Information in this document applies to any platform.

Symptoms

Java sample code fails with "java.sql.SQLRecoverableException: IO Error: Received fatal alert: handshake_failure" when using SSL-encrypted connection to Oracle Database 11.2.0.3.

There is no error when using 11.2.0.2 RDBMS using the same JDBC thin driver 11.2.0.3

Sample Code:

import java.sql.*;
import java.util.Properties;
import oracle.jdbc.pool.OracleDataSource;

public class SSLTest {
public static void main(String[] args) throws SQLException {

Connection conn = getConnection();
conn.close();
}

public static Connection getConnection() throws SQLException {
OracleDataSource ods = new OracleDataSource();
ods.setURL("jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<host>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORC1121U)))");
Properties props = new Properties();
props.setProperty("user", "scott");
props.setProperty("password", "<password>");
props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)");
ods.setConnectionProperties(props);


Connection conn = ods.getConnection();
DatabaseMetaData dbmd = conn.getMetaData();
System.out.println(dbmd.getDatabaseProductVersion());
System.out.println("JDBC driver: " + dbmd.getDriverVersion());
System.out.println("JDBC URL: " + dbmd.getURL());
conn.setAutoCommit(false);
return conn;
}
}


In this failing case, you are using the following anonymous ciphers, set within the database SQLNET.ORA file:
(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)

Also, you statically set OraclePKI security, provided within the file C:\Oracle\jdk\jdk1.6.0_27\jre\lib\security\java.security on the client side:


#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=oracle.security.pki.OraclePKIProvider <---- "statically set on third position"
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=sun.security.mscapi.SunMSCAPI


When executing the Java program, the error occurs.

Errors also occur from outside of JDBC.  For example, using SQL*Plus locally to connect to "orcl" instance through TCPS fails with "ORA-28860: Fatal SSL error":

 


Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms