Skip to Main Content
  • Questions

  • TLS 1.2 or 1.3 authentication on Oracle Server/Client

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, thamburaan.

Asked: December 09, 2021 - 2:12 pm UTC

Last updated: December 13, 2021 - 2:42 am UTC

Version: 12C

Viewed 10K+ times! This question is

You Asked

Hello,

We have had a vulnerability assessment done and found that we are prone to man in the middle attacks as we were not using SSL/TLS. As part of mitigating this risk, I found Oracle does allow for encryption/Integrity checks with authentication using SSL/TLS two way authentication. We will most likely take the self-signed route as the environment is a LAN with no access to external networks.

My question is with regards to the version of TLS available for authentication between clients and servers. Under Net Manager, i found both 12C and 19C only support SSL 3.0 and TLS 1.0 which are both prone to man-in-the-middle attacks due to known vulnerabilities. I believe the industry standard at this point in time is TLS 1.3? How can we work around this or do we simply accept this as a risk? Any thoughts on how experts on this forum have tackled this issue would be appreciated.

The issue we would like to steer away from is fixing the risk and having the pen testers come back to break into the system posing as a valid terminal to the server to hack it. This of course will be the case with SSL 3.0 or TLS 1.0?

and Chris said...

Where are you reading this?

19c SQLNET.ORA parameters docs say:

Usage Notes

Clients and database servers must use a compatible version. This parameter should only be used when absolutely necessary for backward compatibility. The current default uses TLS version 1.2 which is the version required for multiple security compliance requirements.

If you set SSL_VERSION to undetermined, then by default it uses 3.0.

Default

1.2

https://docs.oracle.com/en/database/oracle/oracle-database/19/netrf/parameters-for-the-sqlnet.ora.html#GUID-A2A81CEE-162D-4602-8315-990C8CC9E9E2

So while TLS 1.3 appears unsupported, you can certainly use TLS 1.2

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thanks for your answer Chris

A reader, December 10, 2021 - 9:33 pm UTC

My initial question was based on what I've seen under the Net Manager tool under "Network Security" tab, the drop down only allowed for SSL 3.0 and TLS 1.0. The other thing I just noticed is that we are running Oracle 12.1 and the Oracle Docs on this doesn't seem to list anything above SSL 3.0? Please find the link below

https://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF235

However, 12.2 and 19C like you posted seems to allow TLS 1.2 by default. I would like the server and client to communicate over TLS 1.2 only at all times. So i guess I simply specify the parameter SSL_VERSION = 1.2 in the Sqlnet.ora file?

Connor McDonald
December 13, 2021 - 2:42 am UTC

That is my understanding.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.