ORA-28864: SSL Connection Closed Gracefully on Starting Listener / Connecting to Database
(Doc ID 467142.1)
Last updated on MARCH 13, 2019
Applies to:
Advanced Networking Option - Version 9.0.1 to 10.2.0Information in this document applies to any platform.
Checked for relevance on 22-Apr-2013
Symptoms
NOTE: In the images and/or the document content below, the user information and data used represents fictitious data from the Oracle sample schema(s) or Public Documentation delivered with an Oracle database product. Any similarity to actual persons, living or dead, is purely coincidental and not intended in any manner.
We got a listener configured with SSL authentication but we get an "SSL connection closed gracefully" error, either when starting the listener / querying listener status or when trying to connect to the database.
Starting the listener:
$ lsnrctl start LISTENER_SSL
LSNRCTL for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production on <DATE> 12:44:20
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting <DB_HOME>/bin/tnslsnr: please wait...
TNSLSNR for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production
System parameter file is <PATH>/listener.ora
Log messages written to <PATH>/network/log/listener_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTO =tcps)(HOST=x.x.x.x)(PORT=xxxx)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.x)(PORT=xxxx)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Compaq Tru64 UNIX Error: 542: Error 542 occurred.
LSNRCTL for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production on <DATE> 12:44:20
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting <DB_HOME>/bin/tnslsnr: please wait...
TNSLSNR for Compaq Tru64 UNIX: Version 10.2.0.2.0 - Production
System parameter file is <PATH>/listener.ora
Log messages written to <PATH>/network/log/listener_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTO =tcps)(HOST=x.x.x.x)(PORT=xxxx)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.x)(PORT=xxxx)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Compaq Tru64 UNIX Error: 542: Error 542 occurred.
Connecting to the database:
$ sqlplus /@orclssl
SQL*Plus: Release 10.2.0.2.0 - Production on Tue Oct 30 10:13:26 2007
Copyright (c) 1982, 2005, Oracle. All Rights Reserved.
ERROR:
ORA-28864: SSL connection closed gracefully
SQL*Plus: Release 10.2.0.2.0 - Production on Tue Oct 30 10:13:26 2007
Copyright (c) 1982, 2005, Oracle. All Rights Reserved.
ERROR:
ORA-28864: SSL connection closed gracefully
When tracing the listener we see:
[<DATE> 14:09:10:274] nzossp_set_persona: Could not set Persona Certificate: NZ error 28885
[<DATE> 14:09:10:275] nzossp_set_persona: exit
[<DATE> 14:09:10:275] nzosSetCredential: Improper Credentials: NZ error 28885
[<DATE> 14:09:10:275] nzosSetCredential: exit
[<DATE> 14:09:10:275] ntzCreateConnection: Set credential failed with error 28885.
[<DATE> 14:09:10:275] ntzCreateConnection: returning NZ error 28885 in result structure
[<DATE> 14:09:10:275] ntzCreateConnection: failed with error 540
[<DATE> 14:09:10:275] ntzCreateConnection: exit
[<DATE> 14:09:10:276] ntzdisconnect: entry
[<DATE> 14:09:10:277] ntzFreeNTZData: entry
[<DATE> 14:09:10:277] ntzFreeNTZData: exit
[<DATE> 14:09:10:277] nttdisc: entry
[<DATE> 14:09:10:277] nttdisc: Closed socket xx
[<DATE> 14:09:10:278] nttdisc: exit
[<DATE> 14:09:10:278] ntzdisconnect: exit
[<DATE> 14:09:10:278] ntzconnect: failed with error 540
[<DATE> 14:09:10:278] ntzconnect: exit
[<DATE> 14:09:10:278] nserror: entry
[<DATE> 14:09:10:278] nserror: nsres: id=1, op=65, ns=xxx, ns2=0; nt[0]=540, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0
[<DATE> 14:09:10:278] nsopen: unable to open transport
[<DATE> 14:09:10:275] nzossp_set_persona: exit
[<DATE> 14:09:10:275] nzosSetCredential: Improper Credentials: NZ error 28885
[<DATE> 14:09:10:275] nzosSetCredential: exit
[<DATE> 14:09:10:275] ntzCreateConnection: Set credential failed with error 28885.
[<DATE> 14:09:10:275] ntzCreateConnection: returning NZ error 28885 in result structure
[<DATE> 14:09:10:275] ntzCreateConnection: failed with error 540
[<DATE> 14:09:10:275] ntzCreateConnection: exit
[<DATE> 14:09:10:276] ntzdisconnect: entry
[<DATE> 14:09:10:277] ntzFreeNTZData: entry
[<DATE> 14:09:10:277] ntzFreeNTZData: exit
[<DATE> 14:09:10:277] nttdisc: entry
[<DATE> 14:09:10:277] nttdisc: Closed socket xx
[<DATE> 14:09:10:278] nttdisc: exit
[<DATE> 14:09:10:278] ntzdisconnect: exit
[<DATE> 14:09:10:278] ntzconnect: failed with error 540
[<DATE> 14:09:10:278] ntzconnect: exit
[<DATE> 14:09:10:278] nserror: entry
[<DATE> 14:09:10:278] nserror: nsres: id=1, op=65, ns=xxx, ns2=0; nt[0]=540, nt[1]=0, nt[2]=0; ora[0]=0, ora[1]=0, ora[2]=0
[<DATE> 14:09:10:278] nsopen: unable to open transport
Changes
Eventually a new SSL certificate has been installed on the server.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| (1) Restricted SSL server usage |
| (2) Conflicting key usage options |
| Solution |
| References |