oracle/dotnet-db-samples

ORA-00542: Failure during SSL handshake - .net 6 (core) and ODP.net

twm1005 opened this issue · 3 comments

twm1005 commented

I have been using Oracle.ManagedDataAccess.Core version 3.21.100 for months now. It's been working great connecting to my Oracle database with an wallet. Today I get an error ORA-00542: Failure during SSL handshake. I do some troubleshooting by producing the trace files (attached) and I see the following:

OracleConnectionImpl.Connect() (txnid=n/a) OracleInternal.Network.NetworkException (0x80004005): ORA-00542: Failure during SSL handshake
---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

I also see "(SQLNET) Status: UntrustedRoot". So at this point, I'm leaning towards an expired wallet or invalid certificate. So i test the wallet out with a different project and it works. That another test case is a PowerShell script that uses ODP.NET Oracle.ManagedDataAccess.dll version 4.122.19.1 (NOT core) using the same cwallet.sso file. The DBAs gave me a "cwallet.sso" and a "ewallet.p12". I can also connect to the database using SQL Developer and the "ewallet.p12".

The reason I submitting an issue is it gets confusing as to why the wallet works with. ODP (not core) but just stopped working for my CORE projects. I don't know if it's a bug in CORE ODP.NET or wallet? Any insight would be much appreciated.

WORKFORCEMGMT.EXE_PID_26312_DATE_2024_01_16_TIME_15_50_03_429929.trc.txt

alexkeh commented

It doesn't seem to be a bug with ODP.NET nor .NET.

For an untrusted root, there are two primary choices:

  • Put the trusted certs (server root) in the wallet
  • Put the trust certs (server root) in the root/LocalMachine MCS cert store

It's possible you had the trusted root in MCS and took it out.

Since you are doing a relative path for the wallet direction, if you changed the runtime directory, you may have gotten a different wallet (one without the trusted certs).

twm1005 commented

The trusted certs are in the wallet. As far as I know, I didn't change anything with runtime directories, wallet path, etc. It worked on Thursday and then I came back in on Tuesday and it didn't work.

It's weird as the same wallet works with my (NOT core) .NET projects. The .p12 wallet also works with SQL Developer. That what I find confusing. Why would the CORE ODP.NET say untrusted root but the other test case work?

twm1005 commented

importing the certs to local machine worked for me. Still confused to why it worked everywhere else but the CORE side.

Thanks