Certificate sent by the other side could not be validated - Oracle Wallet - sql

I have written following code in PL/SQL for calling 3rd party APIs from Oracle 11g.
Begin
-- preparing Request...
l_http_request := UTL_HTTP.begin_request ('https://www..........'
, 'GET'
, 'HTTP/1.1');
-- set header's attributes...
UTL_HTTP.set_header(l_http_request, 'Content-Type', 'application/json');
UTL_HTTP.set_header(l_http_request, 'Content-Length', LENGTH(t_request_body));
UTL_HTTP.set_header(l_http_request, 'Api-Key','..............');
-- get Response and obtain received value
l_http_response := UTL_HTTP.get_response(l_http_request);
UTL_HTTP.read_text(l_http_response, l_response_text);
end;
When I run this code I'm getting following error
Error report:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 13
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
I figured out that this is caused by 'https' protocole. So I downloaded all relevant certificates and then handed over to our DB team. Though they have configured Oracle wallet with these certificates, still we are getting the same error report.
Any thoughts?
UPDATE:
I've added following code as the very first lines in begin block...
UTL_HTTP.SET_DETAILED_EXCP_SUPPORT(TRUE);
UTL_HTTP.SET_WALLET('file:/../wallet','pwd.....' );
But now it gives following exception "Certificate is invalid" though the certificate sender confirms its validity. Also the validity could be confirmed by looking at this external ssl checker too: https://www.sslshopper.com.
Error report:
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 1128
ORA-06512: at line 16
29024. 00000 - "Certificate validation failure"
*Cause: The certificate sent by the other side could not be validated. This may occur if
the certificate has expired, has been revoked, or is invalid for another reason.
*Action: Check the certificate to determine whether it is valid. Obtain a new certificate,
alert the sender that there certificate has failed, or resend.
Please note that I've tired all formats of certificate files (Base-64 encoded / PKCS#7 etc.) as explained in http://oracle-base.com/articles/misc/utl_http-and-ssl.php
Any thoughts?

Personally, I find it a pain to load the certificates of each and every website you want to access in an Oracle Wallet (which is probably why you're getting the error--you need to install the certificates and chains of the website you're trying to access into the Wallet).
The easiest thing to do is install stunnel https://www.stunnel.org/index.html
Configure stunnel to listen for incoming connections on a local port such as 8800 and then make an outbound connection to somesite.com:443.
Something like this:
1. oracle issues a get as: http://localhost:8080/index.html
2. stunnel intercepts the request and gets https://somesite.com/index.html
3. stunnel gives results to oracle
This allows Oracle to communicate via http to stunnel, then stunnel communicates to https://somesite.com and delivers the data back to oracle on port 80.
This completely bypasses the Oracle Wallet.
As this is not a direct answer to your question, it surely solves the many, many issues with Oracle Wallet and in my opinion is the best solution.

Related

Facing Unknown SSL error oracle 11g after Adding certificates in oracle wallet

I want to call API so that I can integrate SMS gateway in my
application for that purpose the steps will be
Get the certificates
Create a wallet
Add certificates to wallet
Create ACL.
Certificates have been added to the wallet. Below command is verifying about the saved certificates.
F:\cert>orapki wallet display -wallet F:/cert
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
Created the ACL.
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL('www.xml', 'WWW ACL', 'SCOTT', TRUE, 'connect');
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE('www.xml', 'SCOTT', TRUE, 'resolve');
-- All
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL('www.xml', '*');
END;
commit;
The procedure I am using for HTTP connection along with wallet
CREATE OR REPLACE PROCEDURE GET_SESSION_ID (url VARCHAR2) AS
request UTL_HTTP.REQ;
response UTL_HTTP.RESP;
BEGIN
UTL_HTTP.set_wallet('file:F:/cert', 'mypassword');
DBMS_OUTPUT.PUT_LINE(url);
UTL_HTTP.SET_RESPONSE_ERROR_CHECK(FALSE);
request := UTL_HTTP.BEGIN_REQUEST(url, 'GET');
UTL_HTTP.SET_HEADER(request, 'User-Agent', 'Mozilla/4.0');
response := UTL_HTTP.GET_RESPONSE(request);
DBMS_OUTPUT.PUT_LINE('HTTP response status code: ' || response.status_code);
END GET_SESSION_ID;
but getting the error
Error report -
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-28857: Unknown SSL error
ORA-06512: at "SCOTT.GET_SESSION_ID", line 11
ORA-06512: at line 9
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
Please help!

ReviewBoard SSLV3_ALERT_HANDSHAKE_FAILURE

When I try "rbt post" I get this error "ERROR: Could not reach the Review Board server at http://reviewboard.company.com/: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)"
If it is an internal company FQDN, try to find out whether you requesting over a companies proxy. If so, please delete your proxy envs and try again

ERROR: Fetching the page failed because other errors. Twitter Cards Issue

When I go to https://cards-dev.twitter.com/validator and enter https://piktoria.com/blog/instagram-to-drive-sales/ and adlatch.com
Validator says - Unable to render Card preview
ERROR: Fetching the page failed because other errors.
So because of that when i share anything on twitter, don't get any snippets, tried twitter support they say:
"There's something wrong with your SSL setup - I am seeing SslHandshakeException: handshake alert: unrecognized_name at remote address in my debug log which I suspect means that your server name does not match the certificate, or something similar."
Can anyone help in solving this issue
This problem happened with me also But i managed to Fix It when twiiter told me to check SSL Settings
I got the point The problem was From AES256 and AES128 (For NgiNx Web Server) You need to enable AES128
Here is Snippet
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384!AES128:!3DES';
As you see in the Snippet the AES128 is Disabled(!)
you need to remove the ! From AES128 So the Code will be:
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:!3DES';
This might be a post a bit old, but you can get this error due to a different TLS configuration.
When I looked into my webserver error logs, I encountered the following error:
2021/05/12 19:41:31 [crit] 16585#16585: *44673 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: X.X.X.X, server: X.X.X.X:443
It looks like twitter, as of now, does not support TLSv1.3 for getting the cards, and the solution is to also enable TLSv1.2. If you use the intermediate configuration from Mozilla's ssl-config tool that is good enough.
See https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6

rsyslogd-2291: imrelp: could not activate relp listner

I'm trying to configure rsyslog tls with relp but keep getting errors.
I'm using RHEL 7.2 with rsyslog 8.15.
I do manage to send messages using relp + tls but without using the certificates. When I'm adding the certificates I'm getting the following error:
Jan 20 11:00:17 ip-10-0-0-114 rsyslogd-2353: imrelp[514]: error 'Failed to set certificate trust files [gnutls error -64: Error while reading file.]', object 'lstn 514' - input may not work as intended [v8.15.0 try http://www.rsyslog.com/e/2353 ]
Jan 20 11:00:17 ip-10-0-0-114 rsyslogd-2291: imrelp: could not activate relp listner, code 10031 [v8.15.0 try http://www.rsyslog.com/e/2291 ]
Server conf:
module(load="imrelp" ruleset="relp")
input(type="imrelp" port="514" tls="on"
tls.caCert="/home/ec2-user/rsyslog/ca.pem"
tls.myCert="/home/ec2-user/rsyslog/server-cert.pem"
tls.myPrivKey="/home/ec2-user/rsyslog/server-key.pem"
tls.authmode="name"
tls.permittedpeer=["client.example.co"]
)
ruleset(name="relp") {
action(type="omfile" file="/var/log/relptls2")
}
The following is the client configuration:
module(load="omrelp")
action(type="omrelp" target="10.0.0.114" port="514" tls="on"
tls.caCert="/home/ec2-user/rsyslog/ca.pem"
tls.myCert="/home/ec2-user/rsyslog/client-cert.pem"
tls.myPrivKey="/home/ec2-user/rsyslog/client-key.pem"
tls.authmode="name"
tls.permittedpeer=["server.example.co"]
)
When I remove the tls cert fields from the server configration I get client error:
Jan 20 10:35:29 ip-10-0-0-206 rsyslogd-2353: omrelp[10.0.0.114:514]:
error 'Failed to set certificate trust file [gnutls error -64: Error
while reading file.]', object 'conn to srvr 10.0.0.114:514' - action
may not work as intended [v8.15.0 try http://www.rsyslog.com/e/2353 ]
Help would be really really appreciated as I'm stack with this for long time.
Thanks!!!!
The gnutls error -64: Error while reading file error message means either:
The certificates actual path is different from what is in the
configuration file
Rsyslog service cannot read the certificates
because of permission problem
In case of permission issue you may move the certificates under /etc/rsyslog.d
In case of path issue, just fix the path :)

ASIHTTPRequestErrorDomain : (possibly a bad/expired/self-signed certificate)

When I access website API using https, the ASIHTTPRequest can't get response. I got the error below:
ASI error:: Error Domain=ASIHTTPRequestErrorDomain Code=1 "A connection failure occurred: SSL problem (possibly a bad/expired/self-signed certificate)" UserInfo=0x4e5ccd0 {NSUnderlyingError=0x4e5ce40 "The operation couldn’t be completed. (OSStatus error -9807.)", NSLocalizedDescription=A connection failure occurred: SSL problem (possibly a bad/expired/self-signed certificate)}
I guess I got this error because I generated the SSL certificate by myself, instead of purchasing one. Is that right? Does "SSL problem (possibly a bad/expired/self-signed certificate)} " mean i should purchase a SSL certificate for my server?
You're correct, a self-signed SSL Cert will cause this error. That said, you're not forced to purchase an SSL Cert.
If this were for an internal application, I'd just disable the Cert check with the following:
[request setValidatesSecureCertificate:NO];