OUD falhando com "Client requested protocol SSLv3 not enabled or not supported"

This post is also available in: English

Depois de instalar a última versão do Oracle Unified Directory (11.1.2.2.0), todos os bancos de dados que tentava ligar no serviço de diretório começaram a receber o seguinte erro:

SQL> conn T3204325
Enter password:
ERROR:
ORA-28030: Server encountered problems accessing LDAP directory service

Verificando no log do OUD, o erro era:

[30/Mar/2015:10:50:46 -0300] CONNECT conn=19 from=10.192.38.28:34059 to=10.221.63.49:1636 protocol=LDAPS
[30/Mar/2015:10:50:46 -0300] DISCONNECT conn=19 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"

Depois de pesquisar um pouco, descobri que em qualquer versão JDK maior do JDK 7u75, o protocolo SSLv3 (Secure Socket Layer) foi desativado e não está disponível por padrão para mitigar a vulnerabilidade no SSL v3.0 (conhecida como "Poodle Attack").

Sendo assim, eu tentei desativar este protocolo no lado do BD seguindo o MOS Doc 1938502.1 (CVE-2014-3566 Poodle Vulnerability and SSL_VERSION Parameter Setting). Resumindo, ele diz para atualizar qualquer arquivos de configuração sqlnet.ora e listener.ora com: "SSL_VERSION=1.0"

Infelizmente, após a aplicação do que solução, o problema persistiu.

Depois de pesquisar muito mais, finalmente descobri que este é um bug (19285025) =[ .. e a solução é aplicar o patche 19285025, disponíveis no portal de patches.

Portanto, eu o apliquei depois de desligar a instância:

[oracle@blqa10bddsne001 opatch]$ unzip p19285025_112040_Linux-x86-64.zip
Archive:  p19285025_112040_Linux-x86-64.zip
   creating: 19285025/
  inflating: 19285025/README.txt
   creating: 19285025/etc/
   creating: 19285025/etc/config/
  inflating: 19285025/etc/config/inventory.xml
  inflating: 19285025/etc/config/deploy.xml
  inflating: 19285025/etc/config/actions.xml
   creating: 19285025/etc/xml/
  inflating: 19285025/etc/xml/GenericActions.xml
  inflating: 19285025/etc/xml/ShiphomeDirectoryStructure.xml
   creating: 19285025/files/
   creating: 19285025/files/lib/
   creating: 19285025/files/lib/libldapclnt11.a/
  inflating: 19285025/files/lib/libldapclnt11.a/gslcss.o
[oracle@blqa10bddsne001 opatch]$ cd 19285025/
[oracle@blqa10bddsne001 19285025]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.6
Copyright (c) 2013, Oracle Corporation.  All rights reserved.

PREREQ session

Oracle Home       : /u01/app/oracle/product/11.2.4/dbhome_1
Central Inventory : /u01/app/oraInventory
   from           : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc
OPatch version    : 11.2.0.3.6
OUI version       : 11.2.0.4.0
Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/opatch2015-03-30_11-07-21AM_1.log

Invoking prereq "checkconflictagainstohwithdetail"

Prereq "checkConflictAgainstOHWithDetail" passed.

OPatch succeeded.
[oracle@blqa10bddsne001 19285025]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.6
Copyright (c) 2013, Oracle Corporation.  All rights reserved.


Oracle Home       : /u01/app/oracle/product/11.2.4/dbhome_1
Central Inventory : /u01/app/oraInventory
   from           : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc
OPatch version    : 11.2.0.3.6
OUI version       : 11.2.0.4.0
Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log

Applying interim patch '19285025' to OH '/u01/app/oracle/product/11.2.4/dbhome_1'
Verifying environment and performing prerequisite checks...
All checks passed.
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit http://www.oracle.com/support/policies.html for details.
Email address/User Name:

You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]:  y



Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/u01/app/oracle/product/11.2.4/dbhome_1')


Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...

Patching component oracle.ldap.rsf, 11.2.0.4.0...

Patching component oracle.rdbms, 11.2.0.4.0...

Patching component oracle.rdbms.rsf, 11.2.0.4.0...

Verifying the update...
Patch 19285025 successfully applied
Log file location: /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log

OPatch succeeded.
[oracle@blqa10bddsne001 19285025]$

Iniciando meu banco de dados novamente, o problema finalmente foi resolvido =D. Sem mais problemas de vulnerabilidade de SSLv3!

Para mais informações, você pode acessar o MOS Doc 1986819.1 (EUS - ORA-28030: Server Encountered Problems Accessing OUD).

Gostou? Não deixe de comentar ou deixar um 👍!