APEX on a 12.2 DB Configuring an Email Server with SSL/TLS gets ORA-24263: Certificate Of The Remote Server Does Not Match The Target
Oracle Database – Enterprise Edition – Version 22.214.171.124 and later
Oracle Application Express (APEX) – Version 5.0 to 5.1.4.00.08 [Release 5]
Information in this document applies to any platform.
APEX 5.x on 12.2.x database.
When attempting to configure in APEX Instance setting an email server with SSL/TLS (i.e Office365), the following error occurs:
ORA-24263: Certificate of the remote server does not match the target
Steps to Reproduce
The issue can be reproduced at will with the following steps:
1. Configure Email in APEX Instance with following options (using the sample of office365 but it could be any other mail server):
SMTP Host Address: smtp.office365.com
SMTP Host Port: 587
SMTP Authentication Username: firstname.lastname@example.org
SMTP Authentication Password: Password for email@example.com
Use SSL/TLS: After connection is established <<<<<<<<<<You have to use this option (not YES)
Default Email From Address: firstname.lastname@example.org
2. Send an email from inside APEX and the error appears.
Upgraded to or configured a new installation of APEX 5.x on a 12.2 database.
The 12.2 database when making a secured connection or request via UTL_TCP, UTL_SMTP and UTL_HTTP now verifies the digital certificate of the remote server and will raise the following error if the server address in the common name (CN) attribute of the certificate does not match the requested connection or URL.
In case when the address in the certificate is expected to be different (for example, when accessing the server by IP address), the caller can provide the expected address or domain name to match via an additional parameter when making the connection or request.
APEX does not include a parameter for this new setting required by a 12.2 database. The following internal bug was filed on this issue:
Bug 27590117 – APEX DOES NOT SUPPORT SNI FOR INSTANCE MAILSERVER CONFIGURED WITH SSL/TLS
More details about new security feature described in: Note 2275666.1 – UTL_HTTP / UTL_SMTP Request Fail With ORA-24263 On A 12.2 Database.
Until the production fix is available, the following solution exists:
A) Upgrade to APEX 5.1.4 if using a lower version
B) Apply the Patch Set Exception for Bug 27590117 – APEX DOES NOT SUPPORT SNI FOR INSTANCE MAILSERVER CONFIGURED WITH SSL/TLS
1. Download the patch 27590117 from MOS.
2. Read the README.
3. Apply the patch according to the README instructions.
4. Set the APEX instance parameter SMTP_SECURE_HOST in order to use SNI for the mail server:
5. Re-test the configuration of your email server sending en email from within APEX.
The request is now successful.