ORA-28864: SSL Connection Closed Gracefully on Starting Listener / Connecting to Database
(Doc ID 467142.1)
Last updated on FEBRUARY 03, 2019
Applies to:
Advanced Networking Option - Version 9.0.1 to 10.2.0Information in this document applies to any platform.
Checked for relevance on 22-Apr-2013
Symptoms
We got a listener configured with SSL authentication but we get an "SSL connection closed gracefully" error, either when starting the listener / querying listener status or when trying to connect to the database.
Starting the listener:
$ lsnrctl start LISTENER_SSL
LSNRCTL for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production on 05-OCT-2007 12:44:20
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /oradbr/oraaso/oraaso/product/10.2.0/db_1/bin/tnslsnr: please wait...
TNSLSNR for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production
System parameter file is /etc/ORACLE/WALLETS/oraaso/listener.ora
Log messages written to /oradbr/oraaso/oraaso/product/10.2.0/db_1/network/log/listener_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTO =tcps)(HOST=x.x.x.x)(PORT=xxxx)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.x)(PORT=xxxx)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Compaq Tru64 UNIX Error: 542: Error 542 occurred.
LSNRCTL for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production on 05-OCT-2007 12:44:20
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /oradbr/oraaso/oraaso/product/10.2.0/db_1/bin/tnslsnr: please wait...
TNSLSNR for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production
System parameter file is /etc/ORACLE/WALLETS/oraaso/listener.ora
Log messages written to /oradbr/oraaso/oraaso/product/10.2.0/db_1/network/log/listener_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTO =tcps)(HOST=x.x.x.x)(PORT=xxxx)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.x)(PORT=xxxx)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Compaq Tru64 UNIX Error: 542: Error 542 occurred.
Connecting to the database:
$ sqlplus /@orclssl
SQL*Plus: Release 10.2.0.2.0 - Production on Tue Oct 30 10:13:26 2007
Copyright (c) 1982, 2005, Oracle. All Rights Reserved.
ERROR:
ORA-28864: SSL connection closed gracefully
SQL*Plus: Release 10.2.0.2.0 - Production on Tue Oct 30 10:13:26 2007
Copyright (c) 1982, 2005, Oracle. All Rights Reserved.
ERROR:
ORA-28864: SSL connection closed gracefully
When tracing the listener we see:
[05-OCT-2007 14:09:10:274] nzossp_set_persona: Could not set Persona Certificate: NZ error 28885
[05-OCT-2007 14:09:10:275] nzossp_set_persona: exit
[05-OCT-2007 14:09:10:275] nzosSetCredential: Improper Credentials: NZ error 28885
[05-OCT-2007 14:09:10:275] nzosSetCredential: exit
[05-OCT-2007 14:09:10:275] ntzCreateConnection: Set credential failed with error 28885.
[05-OCT-2007 14:09:10:275] ntzCreateConnection: returning NZ error 28885 in result structure
[05-OCT-2007 14:09:10:275] ntzCreateConnection: failed with error 540
[05-OCT-2007 14:09:10:275] ntzCreateConnection: exit
[05-OCT-2007 14:09:10:276] ntzdisconnect: entry
[05-OCT-2007 14:09:10:277] ntzFreeNTZData: entry
[05-OCT-2007 14:09:10:277] ntzFreeNTZData: exit
[05-OCT-2007 14:09:10:277] nttdisc: entry
[05-OCT-2007 14:09:10:277] nttdisc: Closed socket 13
[05-OCT-2007 14:09:10:278] nttdisc: exit
[05-OCT-2007 14:09:10:278] ntzdisconnect: exit
[05-OCT-2007 14:09:10:278] ntzconnect: failed with error 540
[05-OCT-2007 14:09:10:278] ntzconnect: exit
[05-OCT-2007 14:09:10:278] nserror: entry
[05-OCT-2007 14:09:10:278] nserror: nsres: id=1, op=65, ns=12560, ns2=0; nt[0]=540, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0
[05-OCT-2007 14:09:10:278] nsopen: unable to open transport
[05-OCT-2007 14:09:10:275] nzossp_set_persona: exit
[05-OCT-2007 14:09:10:275] nzosSetCredential: Improper Credentials: NZ error 28885
[05-OCT-2007 14:09:10:275] nzosSetCredential: exit
[05-OCT-2007 14:09:10:275] ntzCreateConnection: Set credential failed with error 28885.
[05-OCT-2007 14:09:10:275] ntzCreateConnection: returning NZ error 28885 in result structure
[05-OCT-2007 14:09:10:275] ntzCreateConnection: failed with error 540
[05-OCT-2007 14:09:10:275] ntzCreateConnection: exit
[05-OCT-2007 14:09:10:276] ntzdisconnect: entry
[05-OCT-2007 14:09:10:277] ntzFreeNTZData: entry
[05-OCT-2007 14:09:10:277] ntzFreeNTZData: exit
[05-OCT-2007 14:09:10:277] nttdisc: entry
[05-OCT-2007 14:09:10:277] nttdisc: Closed socket 13
[05-OCT-2007 14:09:10:278] nttdisc: exit
[05-OCT-2007 14:09:10:278] ntzdisconnect: exit
[05-OCT-2007 14:09:10:278] ntzconnect: failed with error 540
[05-OCT-2007 14:09:10:278] ntzconnect: exit
[05-OCT-2007 14:09:10:278] nserror: entry
[05-OCT-2007 14:09:10:278] nserror: nsres: id=1, op=65, ns=12560, ns2=0; nt[0]=540, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0
[05-OCT-2007 14:09:10:278] nsopen: unable to open transport
Changes
Eventually a new SSL certificate has been installed on the server.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| (1) Restricted SSL server usage |
| (2) Conflicting key usage options |
| Solution |
| References |