This post is also available in: English
Depois de instalar a última versão do Oracle Unified Directory (11.1.2.2.0), todos os bancos de dados que tentava ligar no serviço de diretório começaram a receber o seguinte erro:
SQL> conn T3204325 Enter password: ERROR: ORA-28030: Server encountered problems accessing LDAP directory service
Verificando no log do OUD, o erro era:
[30/Mar/2015:10:50:46 -0300] CONNECT conn=19 from=10.192.38.28:34059 to=10.221.63.49:1636 protocol=LDAPS [30/Mar/2015:10:50:46 -0300] DISCONNECT conn=19 reason="I/O Error" msg="Client requested protocol SSLv3 not enabled or not supported"
Depois de pesquisar um pouco, descobri que em qualquer versão JDK maior do JDK 7u75, o protocolo SSLv3 (Secure Socket Layer) foi desativado e não está disponível por padrão para mitigar a vulnerabilidade no SSL v3.0 (conhecida como "Poodle Attack").
Sendo assim, eu tentei desativar este protocolo no lado do BD seguindo o MOS Doc 1938502.1 (CVE-2014-3566 Poodle Vulnerability and SSL_VERSION Parameter Setting). Resumindo, ele diz para atualizar qualquer arquivos de configuração sqlnet.ora e listener.ora com: "SSL_VERSION=1.0"
Infelizmente, após a aplicação do que solução, o problema persistiu.
Depois de pesquisar muito mais, finalmente descobri que este é um bug (19285025) =[ .. e a solução é aplicar o patche 19285025, disponíveis no portal de patches.
Portanto, eu o apliquei depois de desligar a instância:
[oracle@blqa10bddsne001 opatch]$ unzip p19285025_112040_Linux-x86-64.zip Archive: p19285025_112040_Linux-x86-64.zip creating: 19285025/ inflating: 19285025/README.txt creating: 19285025/etc/ creating: 19285025/etc/config/ inflating: 19285025/etc/config/inventory.xml inflating: 19285025/etc/config/deploy.xml inflating: 19285025/etc/config/actions.xml creating: 19285025/etc/xml/ inflating: 19285025/etc/xml/GenericActions.xml inflating: 19285025/etc/xml/ShiphomeDirectoryStructure.xml creating: 19285025/files/ creating: 19285025/files/lib/ creating: 19285025/files/lib/libldapclnt11.a/ inflating: 19285025/files/lib/libldapclnt11.a/gslcss.o [oracle@blqa10bddsne001 opatch]$ cd 19285025/ [oracle@blqa10bddsne001 19285025]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./ Oracle Interim Patch Installer version 11.2.0.3.6 Copyright (c) 2013, Oracle Corporation. All rights reserved. PREREQ session Oracle Home : /u01/app/oracle/product/11.2.4/dbhome_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc OPatch version : 11.2.0.3.6 OUI version : 11.2.0.4.0 Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/opatch2015-03-30_11-07-21AM_1.log Invoking prereq "checkconflictagainstohwithdetail" Prereq "checkConflictAgainstOHWithDetail" passed. OPatch succeeded. [oracle@blqa10bddsne001 19285025]$ opatch apply Oracle Interim Patch Installer version 11.2.0.3.6 Copyright (c) 2013, Oracle Corporation. All rights reserved. Oracle Home : /u01/app/oracle/product/11.2.4/dbhome_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/11.2.4/dbhome_1/oraInst.loc OPatch version : 11.2.0.3.6 OUI version : 11.2.0.4.0 Log file location : /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log Applying interim patch '19285025' to OH '/u01/app/oracle/product/11.2.4/dbhome_1' Verifying environment and performing prerequisite checks... All checks passed. Provide your email address to be informed of security issues, install and initiate Oracle Configuration Manager. Easier for you if you use your My Oracle Support Email address/User Name. Visit http://www.oracle.com/support/policies.html for details. Email address/User Name: You have not provided an email address for notification of security issues. Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y Please shutdown Oracle instances running out of this ORACLE_HOME on the local system. (Oracle Home = '/u01/app/oracle/product/11.2.4/dbhome_1') Is the local system ready for patching? [y|n] y User Responded with: Y Backing up files... Patching component oracle.ldap.rsf, 11.2.0.4.0... Patching component oracle.rdbms, 11.2.0.4.0... Patching component oracle.rdbms.rsf, 11.2.0.4.0... Verifying the update... Patch 19285025 successfully applied Log file location: /u01/app/oracle/product/11.2.4/dbhome_1/cfgtoollogs/opatch/19285025_Mar_30_2015_11_09_55/apply2015-03-30_11-09-55AM_1.log OPatch succeeded. [oracle@blqa10bddsne001 19285025]$
Iniciando meu banco de dados novamente, o problema finalmente foi resolvido =D. Sem mais problemas de vulnerabilidade de SSLv3!
Para mais informações, você pode acessar o MOS Doc 1986819.1 (EUS - ORA-28030: Server Encountered Problems Accessing OUD).
Gostou? Não deixe de comentar ou deixar um 👍!