Skip to Main Content
  • Questions
  • ORA-24263: Certificate of the remote server does not match the target address.

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Eric.

Asked: September 09, 2017 - 12:05 am UTC

Last updated: January 14, 2022 - 6:00 am UTC

Version: Oracle Database 12.2.0.1

Viewed 10K+ times! This question is

You Asked

I encountered ORA-24263 when migrating from Oracle Database 11g to 12.2.0.1. This error is thrown when using UTL_HTTP to access a site via HTTPS, and that site is a multi-server domain (as is common in today's cloud based world).

I no longer have a question, rather I have the answer. The answer was difficult to locate, and I still cannot find any other reference to this on the internet.

An additional parameter is required when calling UTL_HTTP.BEGIN_REQUEST. You must specify the https_host of the domain as a parameter of the begin_request procedure.

For example: v_req := utl_http.begin_request( url => ' https://api.example.com?id=12345', https_host => 'example.com' );

The https_host parameter, as far as I can tell, is 100% necessary, and 100% undocumented, and was very difficult to find.

Hopefully, AskTom can provide some exposure to this problem, and resolution.

and Chris said...

Nice work on figuring this out for yourself. But I'm not sure where you're looking. The https_host looks 100% documented to me:

https_host

The host name to be matched against the common name (CN) of the remote server's certificate for an HTTPS request. It can also be a domain name like *.example.com. If NULL, the host name in the given URL will be used.


http://docs.oracle.com/database/122/ARPLS/UTL_HTTP.htm#GUID-BBD953E8-CA2B-4D2F-B4E8-125A0C27CCDC

And MOS note 2275666.1 discusses this exact error and parameter:

When making a secured connection or request, UTL_TCP, UTL_SMTP and UTL_HTTP now verify the digital certificate of the remote server and will raise the following error if the server address in the common name (CN) attribute of the certificate does not match the requested connection or URL.

ORA-24263: Certificate of the remote server does not match the target address.

In case when the address in the certificate is expected to be different (for example, when accessing the server by IP address), the caller can provide the expected address or domain name to match via an additional parameter when making the connection or request.

SOLUTION

As of Oracle 12.2 the procedures of the utl_http package used to access remote webservices have a new parameter called https_host. One has to use this new parameter to avoid the error:

Rating

  (9 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

The well documented

Lavdim Djaferi, January 30, 2018 - 10:56 am UTC

I don't think that it is well documented cause what you say is that you have to use the CN Name of that certificate.

Well what are you going to do if you are using the utl_smtp.open_connection function? There is the new parameter "secure_host" and the CN for SMTP hosts is not the same as for HTTPS Hosts.
See the example with office365. We have a big issue at the moment and can not upgrade to the release 12.2 just because of that. If you go to the 12.2 documentation for that function they don't mention the parameter.
Chris Saxon
January 30, 2018 - 1:29 pm UTC

What's that got to do with UTL_HTTP?

I'm really struggling with utl_http in 12c

Scott Horowitz, February 28, 2018 - 7:09 pm UTC

I have an open SR with support, but it seems to be going nowhere.

I'm trying to connect to an office 365 API in order to read emails.

I saved all the certs from here in a wallet https://login.microsoftonline.com/en

C:\>orapki wallet display -wallet D:\Oracle\Wallets
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=stamp2.login.microsoftonline.com
Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
Subject: CN=Microsoft IT TLS CA 4,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US


I cannot connect.. I've tried all DNS in alternate names

DECLARE
req varchar2(5000);
wallet_loc varchar2(100) := 'file:D:\Oracle\Wallets';
begin
utl_http.set_wallet(wallet_loc,'xxxxxx');
req := UTL_HTTP.REQUEST(url=>' https://login.microsoftonline.com/en', https_host=>'stamp2.login.microsoftonline.com');
end;
Error report -
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1501
ORA-24263: Certificate of the remote server does not match the target address.
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1441
ORA-06512: at line 6
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.

Any help would be great. I'm starting to consider using java to call the web service as I'm losing faith in utl_http

Thanks,
Scott


https_host parameter

Pavel Ptak, May 30, 2018 - 12:04 pm UTC

Current solution is "As of Oracle 12.2 the procedures of the utl_http package used to access remote webservices have a new parameter called https_host. One has to use this new parameter to avoid the error:" unfortunately with no further explanation how to use this parameter.
So for the problem described above works the https_host graph.windows.net

select utl_http.request(url => ' https://login.microsoftonline.com/en',
wallet_path => 'file://u01/app/oracle/product/12.2/db_1/owm/wallets/oracle',
wallet_password => 'pwd',
https_host => 'graph.windows.net'
) resp from dual;

which can be obtained by issuing the command
openssl s_client -showcerts -connect login.microsoftonline.com:443

More details in this thread: https://community.oracle.com/thread/4148373

SNI along with request still missing

Pascal, November 13, 2018 - 2:54 pm UTC

There was a certain hassle with https: requests in releases before 12.2: utl_http did not send a "server name indication" along with the http request. See for example https://en.wikipedia.org/wiki/Server_Name_Indication Multi domain environments have two options, in this case:
1) they decide themselves for a default certificate, where the CN of the certificate does not necessarily match the hostname used in the request
2) they do not respond to the request at all

1) worked well with 12.1 and lower, as Oracle didn't care about the CN of the certificate at all (hassel-free, but not very secure). As of 12.2, we have to provide the CN of the certificate in the new parameter mentioned above. The same is the case when the site uses a wildcard certificate, where we have to provide the CN (e.g. *.domain.tld) in the new parameter.

HOWEVER: 2) still is not solved. There are sites we didn't succeed to access with utl_http over https until now. We were looking forward to 12.2 hoping it would provide us with as SNI, but were deeply disappointed. Are there any plans related to this problem ?
Chris Saxon
November 13, 2018 - 3:04 pm UTC

I'm not aware of plans to address this.

Other issue

Pascal, November 29, 2018 - 1:35 pm UTC

There's another issue with the new https-host when using utl_http.request: it seems that it is considered for the first response we get for a request, but not for further responses, when the first response is a 301 or 302 redirect.

In this case you will still get ORA-24263, even if the CN of the certificate is correctly set for the https-host parameter.

I am currently implementing the following of redirects by hand, to be able to set the https host with every single request.

Withdraw

Pascal, December 02, 2018 - 4:59 pm UTC

I want to withdraw my former post. The parameter https_host works with http-redirects.
Connor McDonald
December 03, 2018 - 3:22 am UTC

Thanks for getting back to us.

UTL_TCP.SECURE_CONNECTION

Raffy Martin, June 13, 2019 - 1:31 pm UTC

Even though this is about UTL_HTTP I was trying to implement the same feature with UTL_TCP.secure_connection and found the document has a bug as well as doesn't list the secure_host parameter which I found by looking at the package spec and found the optional parameter and that solved my problem right away and it so it seems I might need to keep looking at the package definition more rather than at the documentation.

https://docs.oracle.com/en/database/oracle/oracle-database/12.2/arpls/UTL_TCP.html#GUID-F96ECC63-A003-4B88-A1FF-EC15A3B6E33B

Below from the package spec.

/**
* Secure a TCP/IP connection using Secure Socket Layer / Transport Layer
* Security (SSL/TLS). SSL/TLS requires an Oracle wallet which must be
* specified when the connection was opened by the OPEN_CONNECTION function.
*
* PARAMETERS
* c TCP/IP connection
* secure_host remote host name to be matched against the common name (CN)
* of the remote server's certificate. It can also be a domain
* mame like "*.example.com". If NULL, the remote host name
* used in open_connection will be used.
*
* RETURN
* None
* EXCEPTIONS
* SSL/TLS errors - error occurred in SSL/TLS communication
* NOTES
* See the OPEN_CONNECTION function.
*/
PROCEDURE secure_connection(c IN OUT NOCOPY connection,
secure_host IN VARCHAR2 DEFAULT NULL);
Chris Saxon
June 13, 2019 - 2:24 pm UTC

Thanks for sharing.

Potential Security issue?

Tony, July 02, 2019 - 9:20 am UTC

Our application consumes webservice using utl_http via https protocol. Recently I got a review from an integration architect that these connections would expose the Database Server to the internet and hence increase the chance of a malicious attack on database server, and asking us to move the touch point from DB to a middleware system who would be responsible for making connection to webservice endpoints. What are your views of this review?
Connor McDonald
July 03, 2019 - 1:34 am UTC

Firewalls normally have the capacity to distinguish between a server (db or otherwise) initiating a request to pull data from an external source, versus an external source initiating that request.

By way of example, there are thousands of Application Express installations and applications out there in the world, which regularly call web services.

But don't get me wrong - no matter *where* you perform any kind of system communication with external parties, definitely keep security first and foremost in your testing cycle.

What if the certificate does not have CN defined?

Koen, January 13, 2022 - 1:34 pm UTC

Chris,

I bumped into a site where the certificate does not have CN=xx in the subject, so opening the https request gives a strange error:
ORA-28789: name type not found

(My code does work with other sites with "normal" certificate specifying CN=xxx, so hence my conclusion it must be due to that).

The certificate does have an "Subject Alternative Name" specified.

Can I assume that the UTL_HTTP package will never work with certificates where CN is not specified?
If yes, any solution planned for this?

Kr,
Koen
Connor McDonald
January 14, 2022 - 6:00 am UTC

You'd probably have to head down the SR route for that to see what the options are.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library