Forum Stats

  • 3,836,897 Users
  • 2,262,204 Discussions
  • 7,900,138 Comments

Discussions

11.2.0.4 client fails to establish secure connection (TLS 1.2) to Oracle 12.1 server

AkshayHB
AkshayHB Member Posts: 3 Green Ribbon
edited Jun 8, 2022 9:49AM in Database Security - General

Hi All,

We have Oracle client 11.2.0.4 installed on our Solaris 10 machine and we were able to successfully establish secure connection (with SSL_VERSION set to 1.0 i.e., TLS 1.0) to 12cR1 server.

Couple of days ago, DBAs updated the configuration to support TLS 1.2 alone and since then client connection is failing.

This thread talks about the workaround (not defining SSL_VERSION parameter in sqlnet.ora), but this isn't working too.

Does this mean secure connection (TLS 1.2) using 11.2.0.4 client to 12cR1 isn't possible?

Thanks and Regards

Akshay

Tagged:

Answers

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,106 Silver Trophy

    A good source of info is TLS 1.2 in Oracle Database and MES415 (Doc ID 2274242.1). In short, you need a minimum of 11.2.0.4 Oct 2018 DB PSU. The article mostly talks about allowing TLS 1.2 support for incoming connections to the DB, but I believe it also allows outgoing TLS 1.2 as well.

  • AkshayHB
    AkshayHB Member Posts: 3 Green Ribbon

    The DB version is 12c and the client version being used is 11.2.0.4 and we are making a native oracle connection (native DB drivers).

    Do you think any patch to be applied on my client machine to support TLS1.2 connectivity?

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,106 Silver Trophy

    I don't know what patch level your 11.2.0.4 DB is at, but I told you the minimum it needed to be at so that is up to you and the DBA(s) to determine whether patching needs to occur. Same for your 12.1 DB, you need 12.1.0.2 July 2018 DB PSU in order for your 12.1 DB to support TLS 1.2.

  • AkshayHB
    AkshayHB Member Posts: 3 Green Ribbon

    Sorry, not sure what the confusion is.

    DB is already on 12.1.0.2 and 11.2.0.4 is the client version.

    We have two client machines; on one of the client machines we have 12.1.0.2 oracle client installed and on another we have 11.2.0.4.

    I am able to establish TLS1.2 secure connection from machine on which Oracle client 12.1.0.2 is installed, whereas from the machine where 11.2.0.4 client is available, I am not able to.

    Does applying any patch (not on DB server, but on client machine) on machine where 11.2.0.4 oracle client is installed help in establishing TLS 1.2 secure connection or is 12c and later are the the minimum client versions that support TLS 1.2?

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,106 Silver Trophy

    I'm the source of the confusion. When you listed out 11.2.0.4, I was immediately thinking you had an 11.2.0.4 DB attempting to make a secure connection to an Oracle 12.1.x.x DB. That said, part of what I stated is still correct. In order for your Oracle DB to accept TLS 1.2 connections, the DB needs to be patched with 12.1.0.2 July 2018 DB PSU or alter. As for the client, given the original Oracle 11.2.0.4 DB did not support TLS 1.2, I'm going to say any client install derived from it would not either. Given I'm not sure where your client came from, I'm now going to talk about Oracle's Instant Client https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html (yes a Windows link but it's what I run. I'm not sure how to tell if Oracle's Instant Client supports TLS 1.2 so you might need to go with a more recent version such as 12.2, 18.5, or 19.5 since all are backwards compatible (in theory).