Oracle JDBC瘦驱动程序SSL
我正在尝试为oracle jdbc配置SSL,我正在关注文档http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
我在自己的机器上有oracle服务器和客户端。 这是POC。
我使用案例#1仅使用SSL进行加密。 我的listener.ora看起来像
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484)) ) ) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\xxx\product\11.2.0\dbhome_2\server))) SSL_CLIENT_AUTHENTICATION=FALSE
我的sqlnet.ora看起来像
SQLNET.AUTHENTICATION_SERVICES= (NTS) NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\Priya\product\11.2.0\dbhome_2\server))) SSL_CLIENT_AUTHENTICATION=FALSE
我在oracle服务器上的tnsnames.ora
ORCL = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl) ) (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) )
我甚至更新了客户端上的tnsnames.ora
ORCL = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl) ) (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) )
我的Java.security
security.provider.10 = oracle.security.pki.OraclePKIProvider
我使用orapki实用程序创建了服务器钱包自动登录。
我的示例代码:
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))"; System.out.println("set properties"); Properties props = new Properties(); props.setProperty("user", "XXXXX"); props.setProperty("password", "XXXXX"); props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, " + "SSL_DH_anon_WITH_RC4_128_MD5," + "SSL_DH_anon_WITH_DES_CBC_SHA)"); System.out.println("get connection"); Connection con = DriverManager.getConnection(url, props); System.out.println("got a connection"); Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery("select sysdate from dual"); while (rs.next()) { System.out.println("result = "+rs.getString(1)); } rs.close(); stmt.close(); con.close();
并且我得到以下错误:
set properties get connection trustStore is: C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH Algorithm: RSA; Serial number: 0x4eb200670c035d4f Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036 ............... ............. trigger seeding of SecureRandom done seeding SecureRandom Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1441881635 bytes = { 236, 186, 144, 113, 184, 49, 37, 30, 105, 22, 80, 151, 167, 186, 10, 227, 160, 97, 62, 9, 21, 123, 5, 153, 25, 55, 40, 140 } Session ID: {} Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA] Compression Methods: { 0 } Extension renegotiation_info, renegotiated_connection: *** [write] MD5 and SHA1 hashes: len = 56 0000: 01 00 00 34 03 01 56 F1 5E 23 EC BA 90 71 B8 31 ...4..V.^#...q.1 0010: 25 1E 69 16 50 97 A7 BA 0A E3 A0 61 3E 09 15 7B %.iP.....a>... 0020: 05 99 19 37 28 8C 00 00 06 00 1B 00 18 00 1A 01 ...7(........... 0030: 00 00 05 FF 01 00 01 00 ........ main, WRITE: TLSv1 Handshake, length = 56 [write] MD5 and SHA1 hashes: len = 53 0000: 01 03 01 00 0C 00 00 00 20 00 00 1B 00 00 18 00 ........ ....... 0010: 00 1A 00 00 FF 56 F1 5E 23 EC BA 90 71 B8 31 25 .....V.^#...q.1% 0020: 1E 69 16 50 97 A7 BA 0A E3 A0 61 3E 09 15 7B 05 .iP.....a>.... 0030: 99 19 37 28 8C ..7(. main, WRITE: SSLv2 client hello message, length = 53 [Raw write]: length = 55 0000: 80 35 01 03 01 00 0C 00 00 00 20 00 00 1B 00 00 .5........ ..... 0010: 18 00 00 1A 00 00 FF 56 F1 5E 23 EC BA 90 71 B8 .......V.^#...q. 0020: 31 25 1E 69 16 50 97 A7 BA 0A E3 A0 61 3E 09 15 1%.iP.....a>.. 0030: 7B 05 99 19 37 28 8C ....7(. main, handling exception: java.net.SocketException: Software caused connection abort: recv failed main, SEND TLSv1 ALERT: fatal, description = unexpected_message main, WRITE: TLSv1 Alert, length = 2 main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error main, called closeSocket() main, called close() main, called closeInternal(true) Exception in thread "main" java.sql.SQLRecoverableException: IO Error: Software caused connection abort: recv failed at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:752) at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:657) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:560) at java.sql.DriverManager.getConnection(DriverManager.java:582) at java.sql.DriverManager.getConnection(DriverManager.java:154) at tr.com.pos.genius.background.Test.main(Test.java:75) Caused by: java.net.SocketException: Software caused connection abort: recv failed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:422) at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:460) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100) at oracle.net.ns.Packet.send(Packet.java:419) at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241) at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:157) at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264) at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496) ... 6 more
我使用的是java 6和Oracle 11g, ojdbc6.jar 。
我是SSL的新手。 任何指针或建议都会有所帮助。
我认为您收到此错误是因为客户端发送的SSLv2 client hello端SSLv2 client hello已在服务器中禁用。 因此服务器立即中止握手。 尝试设置此属性以强制使用TLSv1.0,这将阻止客户端发送此SSLv2 client hello 。
props.setProperty("oracle.net.ssl_version", "1.0");
请注意,在Oracle 12c中已禁用匿名密码套件,因此您应该避免使用它们(是的,您在问题中引用的白皮书有点过时)。