Oracle JDBC瘦驱动程序SSL

时间:2016-03-22 15:26:03

标签: java oracle ssl jdbc

我正在尝试为oracle jdbc配置SSL并且我正在关注该文档 http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf

我在自己的机器上有oracle服务器和客户端。这是POC。

我使用案例#1仅使用SSL进行加密。我的listener.ora看起来像

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))
    )
  )

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\xxx\product\11.2.0\dbhome_2\server))) 

SSL_CLIENT_AUTHENTICATION=FALSE 

我的sqlnet.ora看起来像

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\app\Priya\product\11.2.0\dbhome_2\server)))

SSL_CLIENT_AUTHENTICATION=FALSE 

oracle服务器上的tnsnames.ora

ORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))     
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) 
  )

我甚至更新了客户端上的tnsnames.ora

ORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))     
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=SERVER_TEST,C=US")) 
  )

我的Java.security

security.provider.10 = oracle.security.pki.OraclePKIProvider

我使用orapki实用程序创建了服务器钱包自动登录。

我的示例代码:

String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))";

System.out.println("set properties");
Properties props = new Properties();
props.setProperty("user", "XXXXX");
props.setProperty("password", "XXXXX");
props.setProperty("oracle.net.ssl_cipher_suites",
                    "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, "
                        + "SSL_DH_anon_WITH_RC4_128_MD5,"
                        + "SSL_DH_anon_WITH_DES_CBC_SHA)");

System.out.println("get connection");
Connection con = DriverManager.getConnection(url, props);
System.out.println("got a connection");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select sysdate from dual");
while (rs.next()) {
    System.out.println("result = "+rs.getString(1));
}
rs.close();
stmt.close();
con.close();

我得到了以下错误:

set properties
get connection
trustStore is: C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  Algorithm: RSA; Serial number: 0x4eb200670c035d4f
  Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036
...............
.............
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1441881635 bytes = { 236, 186, 144, 113, 184, 49, 37, 30, 105, 22, 80, 151, 167, 186, 10, 227, 160, 97, 62, 9, 21, 123, 5, 153, 25, 55, 40, 140 }
Session ID:  {}
Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes:  len = 56
0000: 01 00 00 34 03 01 56 F1   5E 23 EC BA 90 71 B8 31  ...4..V.^#...q.1
0010: 25 1E 69 16 50 97 A7 BA   0A E3 A0 61 3E 09 15 7B  %.i.P......a>...
0020: 05 99 19 37 28 8C 00 00   06 00 1B 00 18 00 1A 01  ...7(...........
0030: 00 00 05 FF 01 00 01 00                            ........
main, WRITE: TLSv1 Handshake, length = 56
[write] MD5 and SHA1 hashes:  len = 53
0000: 01 03 01 00 0C 00 00 00   20 00 00 1B 00 00 18 00  ........ .......
0010: 00 1A 00 00 FF 56 F1 5E   23 EC BA 90 71 B8 31 25  .....V.^#...q.1%
0020: 1E 69 16 50 97 A7 BA 0A   E3 A0 61 3E 09 15 7B 05  .i.P......a>....
0030: 99 19 37 28 8C                                     ..7(.
main, WRITE: SSLv2 client hello message, length = 53
[Raw write]: length = 55
0000: 80 35 01 03 01 00 0C 00   00 00 20 00 00 1B 00 00  .5........ .....
0010: 18 00 00 1A 00 00 FF 56   F1 5E 23 EC BA 90 71 B8  .......V.^#...q.
0020: 31 25 1E 69 16 50 97 A7   BA 0A E3 A0 61 3E 09 15  1%.i.P......a>..
0030: 7B 05 99 19 37 28 8C                               ....7(.
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: Software caused connection abort: recv failed
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:752)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:657)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:560)
    at java.sql.DriverManager.getConnection(DriverManager.java:582)
    at java.sql.DriverManager.getConnection(DriverManager.java:154)
    at tr.com.pos.genius.background.Test.main(Test.java:75)
Caused by: java.net.SocketException: Software caused connection abort: recv failed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:129)
    at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:422)
    at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:460)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
    at oracle.net.ns.Packet.send(Packet.java:419)
    at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241)
    at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:157)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496)
    ... 6 more

我使用的是java 6和Oracle 11g,ojdbc6.jar

我是SSL的新手。任何指针或建议都会有所帮助。

1 个答案:

答案 0 :(得分:0)

我认为您收到此错误是因为客户端发送的SSLv2 client hello已在服务器中被禁用。因此服务器立即中止握手。 尝试设置此属性以强制使用TLSv1.0,这将阻止客户端发送此SSLv2 client hello

props.setProperty("oracle.net.ssl_version", "1.0");

请注意,Oracle 12c中已禁用匿名密码套件,因此您应避免使用它们(是的,您在问题中引用的白皮书有点过时)。