HRDB_SSL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = hrdb.example.com)(PORT = 2484))
(SECURITY=(WALLET_LOCATION=/u01/app/oracle/tls))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = hrdb)
)
)
HRDB_SSL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 2484))
(SECURITY=(WALLET_LOCATION=/u01/app/oracle/tls))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = hrdb)
)
)
cat $ORACLE_HOME/network/admin/listener.ora
SSL_CLIENT_AUTHENTICATION = FALSE
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 2484))
(SECURITY=(WALLET_LOCATION=/u01/app/oracle/19c/wallet_root/tls))
)
)
ADR_BASE_LISTENER = /u01/app/oracle/19c
cat $ORACLE_HOME/network/admin/listener.ora
SSL_CLIENT_AUTHENTICATION = FALSE
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = hrdb.example.com)(PORT = 9999))
(SECURITY=(WALLET_LOCATION=/u01/app/oracle/19c/wallet_root/tls))
)
)
ADR_BASE_LISTENER = /u01/app/oracle/19c
cat $ORACLE_HOME/network/admin/listener.ora
SSL_CLIENT_AUTHENTICATION = FALSE
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = wronghost.example.com)(PORT = 2484))
(SECURITY=(WALLET_LOCATION=/u01/app/oracle/19c/wallet_root/tls))
)
)
ADR_BASE_LISTENER = /u01/app/oracle/19c
sudo yum install -y wireshark
sudo tshark -i any -d "tcp.port==2484,ssl" -V -a duration:20 2> /dev/null | egrep "Cipher Suites \(|Cipher Suite:|^ Version: |SSL Record Layer: Handshake Protocol: Client Hello|Handshake Protocol: Server Hello|Record Layer"| uniq | sed -e "s/(0x.*)//g" -e "s/.*SSL Record Layer: Handshake Protocol: Client Hello/Client requested:/g" -e "s/.*Version:/ Protocol Version:/g" -e "s/.*Cipher Suites / Cipher Suites Requested:/g" -e "s/.*Handshake Protocol: Server Hello/Server replied with:/g" |egrep -v "Server replied with: Done" &
[1] 91106
sqlplus system/Oracle123@hrdb_ssl
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Nov 6 10:54:52 2024
Version 19.25.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
ERROR:
ORA-28860: Fatal SSL error
Enter user-name: ^C
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Protocol Version: TLS 1.2
Cipher Suites Requested:(25 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Server replied with:
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
TLSv1 Record Layer: Handshake Protocol: Client Hello
Protocol Version: TLS 1.2
Cipher Suites Requested:(6 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
cat $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
sudo tshark -i any -d "tcp.port==2484,ssl" -V -a duration:5 2> /dev/null | egrep "Cipher Suites \(|Cipher Suite:|^ Version: |SSL Record Layer: Handshake Protocol: Client Hello|Handshake Protocol: Server Hello|Record Layer"| uniq | sed -e "s/(0x.*)//g" -e "s/.*SSL Record Layer: Handshake Protocol: Client Hello/Client requested:/g" -e "s/.*Version:/ Protocol Version:/g" -e "s/.*Cipher Suites / Cipher Suites Requested:/g" -e "s/.*Handshake Protocol: Server Hello/Server replied with:/g" |egrep -v "Server replied with: Done" &
[1] 92079
sqlplus system/Oracle123@hrdb_ssl
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Nov 6 11:16:21 2024
Version 19.25.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
ERROR:
ORA-28860: Fatal SSL error
Enter user-name: ^C
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Protocol Version: TLS 1.2
Cipher Suites Requested:(2 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Server replied with:
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Application Data Protocol: Application Data
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
mkdir -p $WALLET_ROOT/26471EC7099D0530E0635D00000A3BC3/tls
cp $WALLET_ROOT/tls/ewallet.p12 $WALLET_ROOT/26471EC7099D0530E0635D00000A3BC3/tls
cp $WALLET_ROOT/tls/cwallet.sso $WALLET_ROOT/26471EC7099D0530E0635D00000A3BC3/tls
No comments:
Post a Comment