Re: sqlnet.ora Changes Causing Issues
From: Jon Crisler <joncrisler_at_gmail.com>
Date: Thu, 20 Oct 2022 15:02:36 -0400
Message-Id: <BB593D9F-6505-4D78-8D7E-34656CF331D5_at_gmail.com>
>> Il giorno gio 20 ott 2022 alle ore 14:46 Scott Canaan <srcdco_at_rit.edu> ha scritto:
>> We are in the process of tightening our security by changing the crypto_checksum_type from SHA1/MD5 to SHA512 and making that and encryption required in the sqlnet.ora. In one application, when we make this change on the database server, they get an ORA-12650 error, which states that there is no matching checksum between the client and server.
>>
>>
>>
>> On the app server (client), I can connect to the database via SQL*Plus, so the configuration works from a base install perspective. The vendor says that since we changed the environment, it’s our fault that their code no longer works. They sent me this piece of code:
>>
>>
>>
>> <?php
>>
>> return [
>> 'oracle' => [
>> 'driver' => 'oracle',
>> 'tns' => '(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = ' . env('ORCL_HOST') . ')(PORT = 1521))) (CONNECT_DATA = (SID = ' . env('ORCL_SERVICE_NAME') . ')))',
>> // 'host' => env('ORCL_HOST', ''),
>> // 'port' => env('ORCL_PORT', '1521'),
>> 'database' => env('ORCL_DATABASE', ''),
>> 'username' => env('ORCL_USERNAME', ''),
>> 'password' => env('ORCL_PASSWORD', ''),
>> 'charset' => env('ORCL_CHARSET', 'AL32UTF8'),
>> 'prefix' => env('ORCL_PREFIX', ''),
>> // 'service_name' => env('ORCL_SERVICE_NAME', ''),
>> ],
>> ];
>>
>>
>> Is there anything that can be added to this to support using encryption and SHA512 for crypto_checkumming?
>>
>>
>>
>> Scott Canaan ‘88
>> Sr Database Administrator
>> Information & Technology Services
>> Finance & Administration
>>
>> Rochester Institute of Technology
>> o: (585) 475-7886 | f: (585) 475-7520
>>
>> srcdco_at_rit.edu | c: (585) 339-8659
>>
>>
>> CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
>>
>>
Date: Thu, 20 Oct 2022 15:02:36 -0400
Message-Id: <BB593D9F-6505-4D78-8D7E-34656CF331D5_at_gmail.com>
Your app is setting all the tns params inside the app itself, ignoring the tnsnames.ora , sqlnet.ora etc. Ether you need more params inside the app to specify encrypt settings , or you have to add lower / less complex encryption options on the listener.Ora on the db side . I think it tries the crypto methods from left to right in the file, so you could test it by changing the sqlnet.Ora on db side . There is also the possibility that your PHP variant has its own driver that only supports older crypto methods , so in addition to app side settings you may need to upgrade the driver on the app side. I ran into this a few times in Pearl . Any change to sqlnet.Ora on db side will be picked up the next time a connection is attempted, so no need to bounce listener .
Sent from my Atari 2600
> On Oct 20, 2022, at 8:58 AM, pier paolo Bruno <pbrunoster_at_gmail.com> wrote: > > > Not sure but from oracle doc : " > The server searches for a match between the algorithms available on both the client and the server, and picks the first algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable. The connection fails with error message ORA-12650 if either side specifies an algorithm that is not installed. > " > Are you sure your oci_module for connecting in php to oracle has been built with the support for the algorithm you are asking ? If you make a test making the encryption required and not requested, does it work ? > >
>> Il giorno gio 20 ott 2022 alle ore 14:46 Scott Canaan <srcdco_at_rit.edu> ha scritto:
>> We are in the process of tightening our security by changing the crypto_checksum_type from SHA1/MD5 to SHA512 and making that and encryption required in the sqlnet.ora. In one application, when we make this change on the database server, they get an ORA-12650 error, which states that there is no matching checksum between the client and server.
>>
>>
>>
>> On the app server (client), I can connect to the database via SQL*Plus, so the configuration works from a base install perspective. The vendor says that since we changed the environment, it’s our fault that their code no longer works. They sent me this piece of code:
>>
>>
>>
>> <?php
>>
>> return [
>> 'oracle' => [
>> 'driver' => 'oracle',
>> 'tns' => '(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = ' . env('ORCL_HOST') . ')(PORT = 1521))) (CONNECT_DATA = (SID = ' . env('ORCL_SERVICE_NAME') . ')))',
>> // 'host' => env('ORCL_HOST', ''),
>> // 'port' => env('ORCL_PORT', '1521'),
>> 'database' => env('ORCL_DATABASE', ''),
>> 'username' => env('ORCL_USERNAME', ''),
>> 'password' => env('ORCL_PASSWORD', ''),
>> 'charset' => env('ORCL_CHARSET', 'AL32UTF8'),
>> 'prefix' => env('ORCL_PREFIX', ''),
>> // 'service_name' => env('ORCL_SERVICE_NAME', ''),
>> ],
>> ];
>>
>>
>> Is there anything that can be added to this to support using encryption and SHA512 for crypto_checkumming?
>>
>>
>>
>> Scott Canaan ‘88
>> Sr Database Administrator
>> Information & Technology Services
>> Finance & Administration
>>
>> Rochester Institute of Technology
>> o: (585) 475-7886 | f: (585) 475-7520
>>
>> srcdco_at_rit.edu | c: (585) 339-8659
>>
>>
>> CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
>>
>>
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Oct 20 2022 - 21:02:36 CEST