Skip to content

APEX on a 12.2 DB Configuring an Email Server with SSL/TLS gets ORA-24263: Certificate Of The Remote Server Does Not Match The Target

APPLIES TO:

Oracle Database – Enterprise Edition – Version 12.2.0.1 and later
Oracle Application Express (APEX) – Version 5.0 to 5.1.4.00.08 [Release 5]
Information in this document applies to any platform.

SYMPTOMS

APEX 5.x on 12.2.x  database.

When attempting to configure in APEX Instance setting an email server with SSL/TLS  (i.e Office365), the following error occurs:

ORA-24263: Certificate of the remote server does not match the target

Steps to Reproduce
The issue can be reproduced at will with the following steps:

1. Configure Email in APEX Instance with following options (using the sample of office365 but it could be any other mail server):

SMTP Host Address: smtp.office365.com
SMTP Host Port: 587
SMTP Authentication Username: x@x.com
SMTP Authentication Password: Password for x@x.com
Use SSL/TLS: After connection is established                          <<<<<<<<<<You have to use this option (not YES)
Default Email From Address: x@x.com

 

2. Send an email from inside APEX and the error appears.

CHANGES

Upgraded to or configured a new installation of APEX 5.x on a 12.2 database.

CAUSE

The 12.2 database when making a secured connection or request via UTL_TCP, UTL_SMTP and UTL_HTTP now verifies the digital certificate of the remote server and will raise the  following error if the server address in the common name (CN) attribute of  the certificate does not match the requested connection or URL.

ORA-24263: Certificate of the remote server does not match the target address.

In case when the address in the certificate is expected to be different (for example, when accessing the server by IP address), the caller can provide the expected address or domain name to match via an additional parameter when making the connection or request.

APEX does not include a parameter for this new setting required by a 12.2 database. The following internal bug was filed on this issue:
Bug 27590117 – APEX DOES NOT SUPPORT SNI FOR INSTANCE MAILSERVER CONFIGURED WITH SSL/TLS
More details about new security feature described in: Note 2275666.1 – UTL_HTTP / UTL_SMTP Request Fail With ORA-24263 On A 12.2 Database.

SOLUTION

Until the production fix is available, the following solution exists:

A) Upgrade to APEX 5.1.4 if using a lower version

 

B) Apply the Patch Set Exception for Bug 27590117 – APEX DOES NOT SUPPORT SNI FOR INSTANCE MAILSERVER CONFIGURED WITH SSL/TLS
1. Download the patch  27590117 from MOS.

2. Read the README.

3. Apply the patch according to the README instructions.

4. Set the APEX instance parameter SMTP_SECURE_HOST  in order to use SNI for the mail server:

ALTER SESSION SET current_schema = APEX_050100;                                <— Represents the current APEX schema.
APEX_INSTANCE_ADMIN.SET_PARAMETER(‘SMTP_SECURE_HOST’, ‘{server-hostname}’);
Note that this requires database 12.2 or higher. On a 11.2 or 12.1 database, this setting the instance parameter, will have no effect.

5. Re-test the configuration of your email server sending en email from within APEX.
The request is now successful.