Thanks for the question, Alain Delon .
Asked: May 25, 2023 - 8:30 pm UTC
Last updated: June 02, 2023 - 2:59 am UTC
Version: 19.17.0.0.0
Viewed 1000+ times
You Asked
Hello,
How to configure TLS for connections from Oracle database to another server (e.g mailing server)?
We have an on premises SMTP email sever to which the database pushes the emails to be sent out. All internal emails are working perfectly but external emails (e.g to Gmail) are failing with ORA-29024: Certificate validation failure.
The TLS wallet has been created on the database server and the SMTP email sever certificate (certificate are still valid) have been added to this wallet. The code has also been updated with wallet location and wallet password.
The mailing team confirmed they did not need our server certificate. At this point we are not sure what we are missing on our setting.
Please, we'll appreciate if you can point us to a documentation/video or provide us with advise on how to figure it out.
Thank you
and Connor said...
The TLS wallet has been created on the database server and the SMTP email sever certificate (certificate are still valid) have been added to this wallet. The code has also been updated with wallet location and wallet password.
ORA-29024: Certificate validation failure, is unfortunately fairly generic being "Hey, something about using the certificate didn't work" - that could be we couldn't find it, we couldn't open it, it was not in the right format, wrong TLS level, etc etc...
A couple of things to check
a) make sure your server is accepting TLS 1.2
b) Make sure that the wallet includes only the signing certificates. Importing the last certificate from the certificate chain is useless anyway because during the SSL handshake Oracle checks whether the signing authority is known to it (that is, whether the certificates of the signing authority was imported into the wallet). The last certificate in the certificate chain is user certificate, not trusted certificate. This shouldn't be imported into the wallet as trusted certificate.