识别在使用Oracle utl_http执行https post时所需的证书。

huangapple go评论87阅读模式
英文:

Identifying which certificate is needed in order to perform https post using Oracle utl_http

问题

I can help with the translation. Here's the content you provided:

短篇故事<br />
我正在尝试从Oracle中使用utl_http实用程序发送POST请求的PL/SQL脚本。我已经能够使用http发送请求,但无法使用https。我已经将我认为是必要的证书添加到Oracle钱包中,我相信它们已被导入并在使用(但老实说,这有点难以验证)。我目前的假设是,来自我们DB服务器的调用会经过代理服务器,这在某种程度上会影响https / 证书功能的某些部分。

支持证据(可能?):我尝试向dummy service发出POST请求。同样,我已经使其在http下工作,但在https下会导致证书验证错误。

然后,我尝试使用postman复制这种行为,基本上产生了相同的结果,除非我调整设置:

Postman的初始结果:

> 无法获取任何响应

> 连接到https://webhook.site/950...时出错

禁用SSL验证<br />
在Postman设置下,我关闭了SSL证书验证,然后再次尝试。这一次,我收到了200 OK的响应,并确认Webhook成功接收了POST请求。

看起来错误很明显是由于缺少证书引起的,但我无法确定是哪一个证书,或者如何配置它。我的假设是,如果我可以让这个Webhook-URL从Postman中正常工作(而不禁用证书验证),那么我以后也应该能够从PL/SQL中正常工作。

当我在浏览器中查看Webhook站点并检查证书时,Webhook证书是最低的证书(叶节点?)。在它上面有一个与我工作的公司相关的中间证书,然后是与该公司相关的根证书。根节点的名称类似于“公司代理服务器CA” - 所以我假设代理以某种方式操纵我的请求并在此处插入自己的证书。

我已经尝试下载所有这些证书并将它们导入到我的证书存储中,以及在Postman设置(证书下)中以各种组合导入它们,但似乎没有任何区别;在尝试使用HTTPS发布时,Postman控制台会显示以下错误:

> POST https://webhook.site/9505...

> 错误:无法验证第一个证书

关于如何解决这个问题,或者至少如何获取更多信息,将不胜感激。

Is there anything else I can assist you with?

英文:

Short story<br />
I'm trying to send a POST request from a PL/SQL script using the utl_http utility in Oracle. I've been able to send the request using http, but not https. I've added what I thought was the necessary certificates to a Oracle Wallet, and I believe they are being imported and used (but in all honesty, this is a little hard to verify). My current assumption is that calls from our DB server are passing through a proxy server, and that that is somehow messing up some part of the https / certificate functionality.

Supporting evidence (possibly?): I tried to make calls (POST requests) to a dummy service at webhook.site. Again, I got this working with http, but not https - the latter results in a cert validation error.

I then tried to replicate the behavior using postman, and that basically produces the same result, unless I fiddle around with the settings:

Initial Postman result:

> Could not get any response

> There was an error connecting to https://webhook.site/950...

Disabling SSL verification<br />
Under the Post man settings, I turned off SSL Certificate Verification, and tried again. This time, I got a 200 OK response, and confirmed that the webhook received the post request fine.

It seems clear that the error is due to a missing cert, but I can't figure out which, or how to configure it. My assumption is that if I can get this to work for a webhook-url from Postman (without disabling cert verification), then I should also be able to get it to work from PL/SQL later.

When I look at the webhook site in a browser and inspect the certs, the webhook cert is the lowest cert (leaf node?). Above it there is one intermediate cert related to the company I'm working for, and then a root cert also related to the company. The root node is named something like "Company Proxy Server CA" - So I'm assuming the proxy somehow manipulates my requests and inserts it's own cert here.

I've tried downloading all of these certs and importing them into my cert store, as well as importing them under the Postman settings (under Certificates) in various combinations, but nothing seems to make any difference; all attempts at posting with HTTPS produces the following error in my Postman Console:

> POST https://webhook.site/9505...

> Error: unable to verify the first certificate

Any ideas about how to resolve this, or at least obtain more information about what to do would be greatly appreciated.

答案1

得分: 1

关闭Postman中的“SSL证书验证”仅意味着(即Postman)在发出请求时不会检查SSL证书的有效性。这意味着它会按原样发送证书。因为如果设置为ON,连接会失败,这意味着Postman无法验证证书的有效性。

这很可能是您尝试POST的实际服务的情况,它们无法验证证书。该服务是否位于您公司的网络之外?它是公共服务还是您公司拥有的服务?该服务托管在哪里?他们需要哪种证书?

顺便说一下,TLS客户端证书是作为建立SSL连接的一部分发送的,而不是作为HTTP请求的一部分。在发送任何HTTP消息之前,会进行TLS握手(以及客户端和服务器证书的交换/验证)。

我认为这可能是被阻止的端口问题。

英文:

Switching OFF "SSL Certificate Verification" in Postman only means that it (i.e. Postman) will not check the validity of SSL certificates while making a request. Meaning that it will just send the certificates as they are. Because your connection fails if the setting in ON, this means Postman cannot verify the validity of your certificates.

This is most likely the case with the actual service you're trying to POST to, they cannot verify the certificates. Is that service outside your company network? And is it a public one or one owned by your company? Where is that service hosted? What certificate do they need?

BTW, TLS client certificates are sent as part of establishing the SSL connection, not as part of the HTTP request. The TLS handshake (and exchange/validation of client and server certificates) happens before any HTTP message is sent.

I'm thinking this might be a blocked port issue.

答案2

得分: 1

"Company Proxy Server CA" - 因此,我认为代理服务器以某种方式操纵我的请求并插入自己的证书。

这意味着您的客户端软件需要在其受信任的证书列表中添加您公司的代理服务器 CA 证书。如果该客户端的列表是 Oracle Wallet 的一部分...

https://knowledge.digicert.com/solution/SO979.html

这里讲述了如何执行此操作。

此外,如果运行 Postman 的系统具有一个非 Oracle 基础的受信任证书(可能是操作系统?),您将需要执行类似的操作,将信任添加到工作站上的您的帐户中。

https://www.thewindowsclub.com/manage-trusted-root-certificates-windows

这样,代理服务器证书就会受信任。

一旦您要连接的证书在客户端的有效配置中具有根信任,那么您将能够验证该证书。

英文:

You said... ""Company Proxy Server CA" - So I'm assuming the proxy somehow manipulates my requests and inserts it's own cert here."

That means your client software needs your Company Proxy Server CA in its trusted certificates list. If that client's list is that of the oracle wallet...

https://knowledge.digicert.com/solution/SO979.html

This talks about how to do that.

Also, if your system running postman has a non-oracle based wallet trusted certificate (probably the operating system?) you'll have to execute something like adding the trust to your account on the workstation

https://www.thewindowsclub.com/manage-trusted-root-certificates-windows

in order to have the proxy server certificate trusted.

Once the certificate you're making the connection with has a root of trust per the effective configuration of the client being used, then you'll be able to verify the certificate.

答案3

得分: 1

I'm providing the translation of the text you provided without any additional content:

一些可能的问题:

  1. 服务器实际上不支持HTTPS。将浏览器连接到您POST的URL,并查看是否收到响应。(看起来您已经这样做了,但我为了完整性而记录下来。)
  2. 服务器使用服务器名称指示(SNI)扩展来确定要发送回什么证书链,但您的POST客户端没有发送该扩展。您可以通过查找要POST到的主机的IP,然后在浏览器中转到https://nnn.nnn.nnn.nnn/(显然在这里使用IP,而不是字面字符串'nnn.nnn.nnn.nnn'),并检查其返回的证书链。如果与第1步获得的不同,这就是您的问题,并且您需要弄清楚如何在Oracle PL/SQL客户端中获取SNI支持,或者将POST端点暴露在该主机名上。(或者,您可以尝试使用这些证书来填充您的Oracle钱包,但是它们可能会因为证书中的主机名与您连接到的主机名不匹配而出现问题。)
  3. 您的方式中有一个代理。我认为这不是问题所在,因为只有在您进行客户端证书认证时,这可能会导致问题。(如果这是问题或条件,您需要将这些证书导入到您的受信任钱包中;您还需要确保从您提交的服务器经过同样的代理。否则,您需要确保实际运行代码的机器所看到的代理的证书颁发机构在钱包中。这可能需要运行该机器及其与网络的连接的系统/网络管理员的帮助。)

HTTPS是一个棘手的东西。必须有很多事情完全正确地工作,才能使TLS连接工作,并且证书能够正确地验证(TLS端口必须响应,客户端和服务器必须同意使用相同版本的TLS,客户端和服务器必须同意使用相同的密码组合,服务器呈现的证书链必须由客户端认可的CA发布,并且该链中的叶子证书必须认证客户端请求的名称)。

SNI需要支持单个主机上的多个名称,而不会干扰同一主机上其他名称的证书。不幸的是,SNI是那些已经标准化了十多年(RFC 3546),但许多企业级软件尚未实现的东西。

英文:

A couple of possible issues:

  1. The server doesn't actually support HTTPS. Connect a browser to the URL that you POST to, and see if you receive a response. (It looks like you already did this, but I'm documenting it for completeness.)
  2. The server uses the Server Name Indication (SNI) extension to determine what certificate chain to send back, but your POSTing client doesn't send that extension. You can identify this case by looking up the IP for the host you're POSTing to, then going to https://nnn.nnn.nnn.nnn/ (obviously use the IP here, instead of the literal string 'nnn.nnn.nnn.nnn') in your browser, and checking the certificate chain it returns. If it is not the same as you get from step 1, this is your problem, and you need to figure out how to either get SNI support in your Oracle PL/SQL client or get the POST endpoint exposed on that hostname. (alternatively, you might be able to use these certificates to prime your Oracle Wallet, but they might have an issue with the hostname in the certificate not matching the hostname you connect to.)
  3. You have a proxy in the way. I don't think this is what's going on, since that would basically only cause problems if you were doing client-side certificate authentication. (If this is the problem or is a condition, you need to import those certificates into your trusted wallet; you also need to ensure that the server you're posting from is going through the same proxy. Otherwise, you need to ensure that the certificate authority for the proxy that the machine actually running the code sees is in the wallet. This may require the assistance of the system/network administrators who run that machine and its connection to the network.)

HTTPS is a finicky beast. Many, many things must work exactly correctly for TLS connections to work and the certificates to correctly verify (the TLS port must respond, the client and server must agree to speak the same version of TLS, the client and server must agree to use the same cipher combination, the certificate chain presented by the server must be issued by a CA the client recognizes, and the leaf certificate in that chain must certify the name client requested).

SNI is needed to support multiple names on a single host without messing with the certifications of other names on the same host. Unfortunately, SNI is one of those things that has been standardized for over a decade (RFC 3546), but many enterprise-grade softwares haven't implemented.

huangapple
  • 本文由 发表于 2020年1月3日 22:02:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/59579902.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定