My Oracle Support Banner

OID Ldapbind on SSL Port Fails With "SSL Handshake Failed" Error (NZerr 28862) (Doc ID 3050774.1)

Last updated on OCTOBER 17, 2024

Applies to:

Oracle Internet Directory - Version 12.2.1.4.221222 and later
Information in this document applies to any platform.

Symptoms

After configuring SSL Server Auth mode for OID, ldapbind command fails with "SSL handshake failed" error

$ORACLE_HOME/bin/ldapbind -h <OID_hostname> -p <OID_SSL_Port> -U 2 -D "cn=orcladmin" -w ******* -W "file:<Wallet_Path>" -P ""
SSL handshake failed

From oidldapd log 

[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] ServerListener : sgsluscReadPort: Message received succcessfully (type=0x1)
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] ServerListener : INFO : Accepted new connection conn id = 7, IpAddr=::ffff:xx.xx.xxx.x
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] ServerListener : INFO * Enqueue SSL connection SSLQ count = 1, conn id = 7, Source address: ::ffff:xx.xx.xxx.x
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: INFO * Dequeue SSL connection SSLQ count = 0, conn id = 7, Source address: ::ffff:xx.xx.xxx.x
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: TDP : SSL allocated memory is at 55a435e0 1824 bytes
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: TDP : SSL allocated memory is at 55a523e0 32 bytes
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: ERROR * gslsflnNegotiateSSL * SSL Hand Shake failed Source address: ::ffff:xx.xx.xxx.x * (NZerr 28862)
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: TDP : SSL Freeing memory is at 55a523e0 0 bytes
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: TDP : SSL Freeing memory is at 55a435e0 0 bytes
[OID] [TRACE:16] [] [OIDLDAPD] [host: xxxxxx] [pid: xxxx] [tid: xx] SSLthread: INFO : gslsfwsShutdownEndpoint : Cleanup of SSL state for connection

openssl command output

openssl s_client -connect <OID_host>:<OID_SSL_Port> -showcerts
CONNECTED(00000003)
139650763073344:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 338 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

"orapki display wallet" command output 

$ orapki wallet display -wallet <Wallet_name>
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:

Trusted Certificates:
Subject: CN=xxxxxx,DC=xxxx,DC=xxx
Subject: L=xxxxx,CN=xxxx,ST=xxxxxx,OU=xxxxx,O=xxxxx,C=xxxx
Subject: CN=<hostname>,OU=xxxx,O=xxxxxxx,L=xxxxxx,ST=xxxxx,C=xxxx  ---------------> This is User Certificate, but shown under Trusted Certificate

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.