5

I'm trying to connect to an Oracle DB using Java and SSL. For now I have the Java program on the server with the database.

I'm getting this error when I try to run it (full error in comment):

java.sql.SQLRecoverableException: IO Error: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 15 ms., Authentication lapse 0 ms.

This is my java code:

public static void main(String[] args) {
        Security.addProvider(new oracle.security.pki.OraclePKIProvider());
        String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))"; 
        Properties props = new Properties(); 
        props.setProperty("javax.net.ssl.trustStore", 
                "C:\\app\\Administrator\\virtual\\product\\12.2.0\\dbhome_1\\bin\\wallets\\Administrator\\cwallet.sso"); 
        props.setProperty("javax.net.ssl.trustStoreType","SSO"); 
        props.setProperty("javax.net.ssl.keyStore", 
                "C:\\app\\Administrator\\virtual\\product\\12.2.0\\dbhome_1\\bin\\wallets\\Administrator\\cwallet.sso"); 
        props.setProperty("javax.net.ssl.keyStoreType","SSO"); 
        try {
            Connection conn = DriverManager.getConnection(url, props);
        } catch (SQLException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } 
    }

I added this to listener.ora and tnsnames.ora (I also tried with the sso file and just linking to the directory)

WALLET_LOCATION=(SOURCE=(METHOD=FILE) (METHOD_DATA=(DIRECTORY=C:\app\Administrator\virtual\product\12.2.0\dbhome_1\bin\wallets\Administrator\ewallet.p12 ))
SSL_CLIENT_AUTHENTICATION=TRUE

I also added this to java.security:

security.provider.11=oracle.security.pki.OraclePKIProvider

edit: I didn't realize the length limit on comments was so short. Here's the full error:

Caused by: java.io.IOException: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 11 ms., Authentication lapse 0 ms.
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:790)
    ... 6 more
Caused by: java.io.IOException: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 11 ms.
    at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:138)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:317)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1438)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:518)
    ... 6 more
Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)
    at oracle.net.nt.SSLSocketChannel.fill(SSLSocketChannel.java:534)
    at oracle.net.nt.SSLSocketChannel.unwrap(SSLSocketChannel.java:434)
    at oracle.net.nt.SSLSocketChannel.handshake(SSLSocketChannel.java:350)
    at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:238)
    at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:211)
    at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:232)
    at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:108)
    ... 9 more
Improve this question
3
  • 1
    Which version of Oracle, which version of the Oracle JDBC driver, which version of Java (full versions of all please) Commented Dec 13, 2018 at 18:49
  • @Mark Oracle version: 12.2.0.1.0 OJDBC: 12.2.0.1 Java: 1.8.0_191 Commented Dec 13, 2018 at 19:15
  • were you able to resolve this issue?I am facing the same issue Commented Apr 15, 2020 at 12:18

1 Answer 1

Reset to default
2

Can you make sure to have oraclepki.jar, osdt_core.jar and osdt_cert.jar in the classpath? You don't need to use keystore and truststore properties. Use oracle.net.wallet_location and oracle.net.ssl_server_dn_match=true. Check out the blog for more details.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, I do have them in the classpath. Do you know if there's a way to set wallet_location and ssl_server_dn_match inside the java code? I'd rather avoid having to setup a script to run this if I can.
Yes, you can set those as connection properties. Check out DataSourceForJKS (github.com/oracle/oracle-db-examples/blob/master/java/jdbc/…) for a reference

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.