My Oracle Support Banner

ORA-28864: SSL Connection Closed Gracefully on Starting Listener / Connecting to Database (Doc ID 467142.1)

Last updated on MARCH 13, 2019

Applies to:

Advanced Networking Option - Version 9.0.1 to 10.2.0
Information in this document applies to any platform.
Checked for relevance on 22-Apr-2013


Symptoms

NOTE: In the images and/or the document content below, the user information and data used represents fictitious data from the Oracle sample schema(s) or Public Documentation delivered with an Oracle database product. Any similarity to actual persons, living or dead, is purely coincidental and not intended in any manner. 

 

We got a listener configured with SSL authentication but we get an "SSL  connection closed gracefully" error, either when starting the listener / querying listener status or when trying to connect to the database.

Starting the listener:

$ lsnrctl start LISTENER_SSL

LSNRCTL for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production on <DATE> 12:44:20

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting <DB_HOME>/bin/tnslsnr: please wait...

TNSLSNR for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production
System parameter file is <PATH>/listener.ora
Log messages written to <PATH>/network/log/listener_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTO   =tcps)(HOST=x.x.x.x)(PORT=xxxx)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.x)(PORT=xxxx)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
  TNS-28864: Message 28864 not found;  product=network; facility=TNS

   Compaq Tru64 UNIX Error: 542: Error 542 occurred.


Connecting to the database:

$ sqlplus /@orclssl

SQL*Plus: Release 10.2.0.2.0 - Production on Tue Oct 30 10:13:26 2007

Copyright (c) 1982, 2005, Oracle. All Rights Reserved.

ERROR:
ORA-28864: SSL connection closed gracefully



When tracing the listener we see:

[<DATE> 14:09:10:274] nzossp_set_persona: Could not set Persona Certificate: NZ error 28885
[<DATE> 14:09:10:275] nzossp_set_persona: exit
[<DATE> 14:09:10:275] nzosSetCredential: Improper Credentials: NZ error 28885
[<DATE> 14:09:10:275] nzosSetCredential: exit
[<DATE> 14:09:10:275] ntzCreateConnection: Set credential failed with error 28885.
[<DATE> 14:09:10:275] ntzCreateConnection: returning NZ error 28885 in result structure
[<DATE> 14:09:10:275] ntzCreateConnection: failed with error 540
[<DATE> 14:09:10:275] ntzCreateConnection: exit
[<DATE> 14:09:10:276] ntzdisconnect: entry
[<DATE> 14:09:10:277] ntzFreeNTZData: entry
[<DATE> 14:09:10:277] ntzFreeNTZData: exit
[<DATE> 14:09:10:277] nttdisc: entry
[<DATE> 14:09:10:277] nttdisc: Closed socket xx
[<DATE> 14:09:10:278] nttdisc: exit
[<DATE> 14:09:10:278] ntzdisconnect: exit
[<DATE> 14:09:10:278] ntzconnect: failed with error 540
[<DATE> 14:09:10:278] ntzconnect: exit
[<DATE> 14:09:10:278] nserror: entry
[<DATE> 14:09:10:278] nserror: nsres: id=1, op=65, ns=xxx, ns2=0; nt[0]=540, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0
[<DATE> 14:09:10:278] nsopen: unable to open transport



Changes

Eventually a new SSL certificate has been installed on the server.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
 (1) Restricted SSL server usage
 (2) Conflicting key usage options
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.