My Oracle Support Banner

ORA-28864: SSL Connection Closed Gracefully on Starting Listener / Connecting to Database (Doc ID 467142.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Advanced Networking Option - Version 9.0.1 to 10.2.0
Information in this document applies to any platform.
Checked for relevance on 22-Apr-2013


Symptoms

We got a listener configured with SSL authentication but we get an "SSL  connection closed gracefully" error, either when starting the listener / querying listener status or when trying to connect to the database.

Starting the listener:

$ lsnrctl start LISTENER_SSL

LSNRCTL for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production on 05-OCT-2007 12:44:20

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting /oradbr/oraaso/oraaso/product/10.2.0/db_1/bin/tnslsnr: please wait...

TNSLSNR for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production
System parameter file is /etc/ORACLE/WALLETS/oraaso/listener.ora
Log messages written to /oradbr/oraaso/oraaso/product/10.2.0/db_1/network/log/listener_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTO   =tcps)(HOST=x.x.x.x)(PORT=xxxx)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.x)(PORT=xxxx)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
  TNS-28864: Message 28864 not found;  product=network; facility=TNS

   Compaq Tru64 UNIX Error: 542: Error 542 occurred.


Connecting to the database:

$ sqlplus /@orclssl

SQL*Plus: Release 10.2.0.2.0 - Production on Tue Oct 30 10:13:26 2007

Copyright (c) 1982, 2005, Oracle. All Rights Reserved.

ERROR:
ORA-28864: SSL connection closed gracefully



When tracing the listener we see:

[05-OCT-2007 14:09:10:274] nzossp_set_persona: Could not set Persona Certificate: NZ error 28885
[05-OCT-2007 14:09:10:275] nzossp_set_persona: exit
[05-OCT-2007 14:09:10:275] nzosSetCredential: Improper Credentials: NZ error 28885
[05-OCT-2007 14:09:10:275] nzosSetCredential: exit
[05-OCT-2007 14:09:10:275] ntzCreateConnection: Set credential failed with error 28885.
[05-OCT-2007 14:09:10:275] ntzCreateConnection: returning NZ error 28885 in result structure
[05-OCT-2007 14:09:10:275] ntzCreateConnection: failed with error 540
[05-OCT-2007 14:09:10:275] ntzCreateConnection: exit
[05-OCT-2007 14:09:10:276] ntzdisconnect: entry
[05-OCT-2007 14:09:10:277] ntzFreeNTZData: entry
[05-OCT-2007 14:09:10:277] ntzFreeNTZData: exit
[05-OCT-2007 14:09:10:277] nttdisc: entry
[05-OCT-2007 14:09:10:277] nttdisc: Closed socket 13
[05-OCT-2007 14:09:10:278] nttdisc: exit
[05-OCT-2007 14:09:10:278] ntzdisconnect: exit
[05-OCT-2007 14:09:10:278] ntzconnect: failed with error 540
[05-OCT-2007 14:09:10:278] ntzconnect: exit
[05-OCT-2007 14:09:10:278] nserror: entry
[05-OCT-2007 14:09:10:278] nserror: nsres: id=1, op=65, ns=12560, ns2=0; nt[0]=540, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0
[05-OCT-2007 14:09:10:278] nsopen: unable to open transport



Changes

Eventually a new SSL certificate has been installed on the server.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
 (1) Restricted SSL server usage
 (2) Conflicting key usage options
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.