TLS 1.0 Deprecation - Oracle 11.2.0.4 API interface issues.
Answered
I have been using the Oracle UTL_HTTP (APEX_Web_Service) packages under 11.2.0.4 for provisioning user accounts and folder in BOX via the API for a couple of years now. Given the upcoming termination of TLS 1.0. I have been testing my interface against api-test.box.com, and sure enough, it failed. After installing some Oracle patches, I am now able to connect to api-test.box.com. However, this same system is unable to connect to api.box.com, eventually returning:
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Bad Certificate)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Bad Certificate (42)This is the same certificate that was used in the successful connection to api-test.box.com.
Any thoughts or suggestions?
-
Found the problem - excessive certificates....
Once we removed the chain, except for the root certificate, from the Oracle wallet, things started working again. I would speculate (that is, make a wild guess), that under TLS 1.2, Oracle was checking the certificates more closely, and differences between what was in the wallet, vs the certificate chain provided by the server was enough to make it reject the connection.
Our past practice had been to load the cert chain from each new server we were connecting with. Since this was back in the day of "what is a certificate", and each cert costing hundreds of dollars, we tended to see a lot of self signed certificates or certificates from "Sam's Discount Certificates" (Where each certificate comes with a free car wash). Ah, those were the days. But now we are actually connecting to servers that have real, valid certificates with a chain to a known root certificate authority. Practice is starting to catch up with theory.
Please sign in to leave a comment.
Comments
1 comment