Skip to Main Content
Forums

Java Database Connectivity (JDBC)

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SSL jdbc connection fails with Diffie-Hellman (DH_ANON) cipher suites

User_672R1Jan 28 2015 — edited Jan 29 2015

I am trying create an SSL enabled connection to the Oracle database 11g (Release 11.2.0.1.0) using jdbc. I just want to use SSL for encryption only and not authentication which is why I am using the Diffie-Hellman cipher suites. Following is the excerpt of the code

        String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<IP>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=<service_name>)) )";

        Properties props = new Properties();

        props.setProperty("user", "hr");

        props.setProperty("password", "hr");

        props.setProperty("oracle.net.ssl_cipher_suites",    "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA)");

        // commented out since Diffie-Hellman cipher suite should not require trust store or key-store, but the connection works only if I uncomment it.

        //props.setProperty("javax.net.ssl.trustStore", "/truststoret/cwallet.sso");

        //props.setProperty("javax.net.ssl.trustStoreType", "SSO");

        Connection conn = null;

        try {

            //Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider(),3);

            Class.forName("oracle.jdbc.OracleDriver");

            conn = DriverManager.getConnection(url, props);

            System.out.println("conn " + conn);

        } catch (Exception e) {

            e.printStackTrace();

        }

IN sqlnet.ora I added the following to make sure client is not authenticated and client server uses the same cipher suite:

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)


However when I run the code I get the following error:


java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection

  at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)

  at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:538)

  at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:228)

  at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)

  at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)

  at java.sql.DriverManager.getConnection(DriverManager.java:582)

  at java.sql.DriverManager.getConnection(DriverManager.java:154)

  at oracle.bi.modeling.Test.createConnection(Test.java:50)

  at oracle.bi.modeling.Test.main(Test.java:18)

Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection

  at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375)

  at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422)

  at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:686)

  at oracle.net.ns.NSProtocol.connect(NSProtocol.java:246)

  at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1056)

  at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:308)

  ... 8 more

Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.

  at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:327)

  at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:110)

  at oracle.net.nt.ConnOption.connect(ConnOption.java:130)

  at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:353)

  ... 13 more

Caused by: oracle.net.ns.NetException: Unable to initialize the trust store.

  at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:415)

  at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:311)

  ... 16 more

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)

  at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)

  at java.security.KeyStore.load(KeyStore.java:1185)

  at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:406)

  ... 17 more

Caused by: java.security.UnrecoverableKeyException: Password verification failed

  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)

  ... 20 more

If do specify the trust store, then the connection works fine when I uncomment the following lines:

props.setProperty("javax.net.ssl.trustStore", "/truststore/cwallet.sso");

props.setProperty("javax.net.ssl.trustStoreType", "SSO");

But Diffie-Hellman cipher suite should not require truststore or keystore. So what am I doing wrong?

I do see the following in one of oracle docs:

http://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#i1009717

"There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client."


However I am not using OCI client. Instead I am using JDBC (ojdbc6.jar). Does the same exist even in JDBC? If so what is the work around to use Diffie-Hellman cipher suite?


Thanks


Joyjit
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Feb 26 2015
Added on Jan 28 2015
#java-database-connectivity-jdbc
1 comment
1,730 views