OUD failing with "Client requested protocol SSLv3 not enabled or not supported"

This post is also available in: Português

After installing the latest release of Oracle Unified Directory (11.1.2.2.0), all databases that tried to connect in the directory service started to receive the following error:

SQL> conn T3204325
Enter password:
ERROR:
ORA-28030: Server encountered problems accessing LDAP directory service

Checking on the OUD log file, the error was:

[30/Mar/2015:10:50:46 -0300] CONNECT conn=19 from=10.192.38.28:34059 to=10.221.63.49:1636 protocol=LDAPS
[30/Mar/2015:10:50:46 -0300] DISCONNECT conn=19 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"

After searching a bit, I found out that the any JDK version greater than JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default to mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack").

So, I tried to disable this protocol in the DB side following the MOS Doc 1938502.1 (CVE-2014-3566 Poodle Vulnerability and SSL_VERSION Parameter Setting). Basically, it says to update any sqlnet.ora and listener.ora configuration files with: "SSL_VERSION=1.0"

Unfortunately, after applying that workaround, the problem persisted.

After researching a lot more, finally I found out that this is a bug (19285025) =[ .. and the solution in to apply patch 19285025, available via the patch portal.

So, I applied that after shutting down the instance:

[oracle@blqa10bddsne001 opatch]$ unzip p19285025_112040_Linux-x86-64.zip
Archive:  p19285025_112040_Linux-x86-64.zip
   creating: 19285025/
  inflating: 19285025/README.txt
   creating: 19285025/etc/
   creating: 19285025/etc/config/
  inflating: 19285025/etc/config/inventory.xml
  inflating: 19285025/etc/config/deploy.xml
  inflating: 19285025/etc/config/actions.xml
   creating: 19285025/etc/xml/
  inflating: 19285025/etc/xml/GenericActions.xml
  inflating: 19285025/etc/xml/ShiphomeDirectoryStructure.xml
   creating: 19285025/files/
   creating: 19285025/files/lib/
   creating: 19285025/files/lib/libldapclnt11.a/
  inflating: 19285025/files/lib/libldapclnt11.a/gslcss.o
[oracle@blqa10bddsne001 opatch]$ cd 19285025/
[oracle@blqa10bddsne001 19285025]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.6
Copyright (c) 2013, Oracle Corporation.  All rights reserved.

PREREQ session

Oracle Home       : /u01/app/oracle/product/11.2.4/dbhome_1
Central Inventory : /u01/app/oraInventory
   from           : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc
OPatch version    : 11.2.0.3.6
OUI version       : 11.2.0.4.0
Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/opatch2015-03-30_11-07-21AM_1.log

Invoking prereq "checkconflictagainstohwithdetail"

Prereq "checkConflictAgainstOHWithDetail" passed.

OPatch succeeded.
[oracle@blqa10bddsne001 19285025]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.6
Copyright (c) 2013, Oracle Corporation.  All rights reserved.


Oracle Home       : /u01/app/oracle/product/11.2.4/dbhome_1
Central Inventory : /u01/app/oraInventory
   from           : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc
OPatch version    : 11.2.0.3.6
OUI version       : 11.2.0.4.0
Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log

Applying interim patch '19285025' to OH '/u01/app/oracle/product/11.2.4/dbhome_1'
Verifying environment and performing prerequisite checks...
All checks passed.
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit http://www.oracle.com/support/policies.html for details.
Email address/User Name:

You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]:  y



Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/u01/app/oracle/product/11.2.4/dbhome_1')


Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...

Patching component oracle.ldap.rsf, 11.2.0.4.0...

Patching component oracle.rdbms, 11.2.0.4.0...

Patching component oracle.rdbms.rsf, 11.2.0.4.0...

Verifying the update...
Patch 19285025 successfully applied
Log file location: /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log

OPatch succeeded.
[oracle@blqa10bddsne001 19285025]$

Starting my database again, the problem finally disappeared =D. No more problems with the SSLv3 vulnerability!

For more information, you can check the MOS Doc 1986819.1 (EUS - ORA-28030: Server Encountered Problems Accessing OUD).

Have you enjoyed? Please leave a comment or give a 👍!