Since there is not much out there in terms and easy guide to follow, on this activity we are going to configure an Oracle RAC cluster to allow TLS encrypted connections.
Because SCAN listeners redirect you to the local listeners on each server, we also need to setup the local listeners.
Here we are going to create self-signed certificates, we are not going to get certificate signed by the CA, this is not the goal here (you can search how to do it if you need….)
This is the environment:
[oracle@RACnode1 ~]$ olsnodes
racnode1
racnode2
[oracle@RACnode1 ~]$
Scan:
[oracle@RACnode1 ~]$ grep -i racnode-scan /etc/hosts
192.168.24.41 racnode-scan.localdomain racnode-scan
192.168.24.42 racnode-scan.localdomain racnode-scan
192.168.24.43 racnode-scan.localdomain racnode-scanCreate wallet on SERVER:
[oracle@RACnode1 ~]$ mkdir -p /u01/app/oracle/wallet/tls
[oracle@RACnode1 ~]$ orapki wallet create -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123 -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ orapki wallet add -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123 -dn "CN=racnode-scan.localdomain" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ orapki wallet display -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=racnode-scan.localdomain
Trusted Certificates:
Subject: CN=racnode-scan.localdomain
[oracle@RACnode1 ~]$
EXPORT CERTIFICATE:
[oracle@RACnode1 ~]$ orapki wallet export -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123 -dn "CN=racnode-scan.localdomain" -cert /tmp/scan-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ cat /tmp/scan-certificate.crt
-----BEGIN CERTIFICATE-----
MIIBxDCCAS0CEAibEOaPe/9RHF3PZMfAQmcwDQYJKoZIhvcNAQELBQAwIzEhMB8G
A1UEAxMYcmFjbm9kZS1zY2FuLmxvY2FsZG9tYWluMB4XDTI1MTIxNDIwNDgzMloX
DTM1MTIxMjIwNDgzMlowIzEhMB8GA1UEAxMYcmFjbm9kZS1zY2FuLmxvY2FsZG9t
YWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwjhMaJ+5IgbtDVvf+Ftzy
ATKTspScTNQ7NtRweI126TUiGh+bXn+F5ZbhYEaqjwh3cvvyQ2FlRm4W3g8FFcq5
ih1UXYZlYDfUM2GjuJf84uebrzCMuOsg0hpk9tmwblsiqobQNBLrWIOV+fZMtyih
WXADOK3oMSjB7RhcD+Yb2wIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAIYIBd8tahtc
8YLWrPXUhkNCMhk1NMvzeu6pewpIyG3W5P3z5evoX9eW9TpjhwjE7DyB58CTQMPp
YUAxj6+SeSnheCTLtumtPt2M5gpWuJvkBrTFiFv7716o2xwmWwzZE0CbQi/Idr9I
4d+deJyxL+wteGKRrFrVeReYv6Pri8ph
-----END CERTIFICATE-----
[oracle@RACnode1 ~]$Create wallet on CLIENT:
[oracle@dune ~]$ mkdir -p /u01/app/clientwallet/tls
[oracle@dune ~]$ orapki wallet create -wallet "/u01/app/clientwallet/tls" -pwd WalletPasswd123 -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@dune ~]$
[oracle@dune ~]$ orapki wallet add -wallet "/u01/app/clientwallet/tls" -pwd WalletPasswd123 -dn "CN=dune" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@dune ~]$
[oracle@dune ~]$ orapki wallet display -wallet "/u01/app/clientwallet/tls" -pwd WalletPasswd123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=dune
Trusted Certificates:
Subject: CN=dune
[oracle@dune ~]$
EXPORT CERTIFICATE:
[oracle@dune ~]$ orapki wallet export -wallet "/u01/app/clientwallet/tls" -pwd WalletPasswd123 -dn "CN=dune" -cert /tmp/client-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@dune ~]$
[oracle@dune ~]$ cat /tmp/client-certificate.crt
-----BEGIN CERTIFICATE-----
MIIBnTCCAQYCEQD/YngtaUDK0VSmFVycNy2bMA0GCSqGSIb3DQEBCwUAMA8xDTAL
BgNVBAMTBGR1bmUwHhcNMjUxMjE0MjEwNTA5WhcNMzUxMjEyMjEwNTA5WjAPMQ0w
CwYDVQQDEwRkdW5lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkEcVGcC3o
kAfnlyAwtUoU5TNR2Pq8h87SR6ckHkgj+cxmp8lGSBhHNtvP9Uhv7Q5su0Kqh1Dl
F2SMhc2FrIhh8/AGBvhhScv21a7tcSpFo2U6+EOcFR9sd1caERMQlxTDBfKBlevW
3tung82GO/XCbysCEBZkLGVXX5U8BGY98QIDAQABMA0GCSqGSIb3DQEBCwUAA4GB
AI3IJqiMzirQzxw43hfxamUqYPRWgt/VX7mN7vD3IAm005IIhD196997YDc4sclc
9COsupdk0bfmQ69xPzu56HlayiNNY9/ZjplRFDmuasy12y3/AWI3VnNsMvWykuG6
GxtPWll/0EmBtrSuW5cmoG3lOlt7kTaiVTQV0qFL/zC2
-----END CERTIFICATE-----
[oracle@dune ~]$Now we need to share the certificates.
LOAD CLIENT CERTIFICATE ON SERVER WALLET:
[oracle@RACnode1 ~]$ scp -p dune:/tmp/client-certificate.crt /tmp
[oracle@RACnode1 ~]$ ls -tlr /tmp/client-certificate.crt
-rw-------. 1 oracle oinstall 618 Dec 14 21:06 /tmp/client-certificate.crt
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ orapki wallet add -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123 -trusted_cert -cert /tmp/client-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ orapki wallet display -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=racnode-scan.localdomain
Trusted Certificates:
Subject: CN=racnode-scan.localdomain
Subject: CN=dune
[oracle@RACnode1 ~]$Copy wallet to second RAC node:
[oracle@RACnode2 ~]$ mkdir -p /u01/app/oracle/wallet/tls
[oracle@RACnode2 ~]$ scp -pr RACnode1:/u01/app/oracle/wallet/tls /u01/app/oracle/wallet/tls
ewallet.p12.lck 100% 0 0.0KB/s 00:00
ewallet.p12 100% 2992 1.6MB/s 00:00
cwallet.sso.lck 100% 0 0.0KB/s 00:00
cwallet.sso 100% 3037 1.9MB/s 00:00
[oracle@RACnode2 ~]$LOAD SERVER CERTIFICATE ON CLIENT WALLET:
[oracle@dune ~]$ orapki wallet display -wallet "/u01/app/oracle/wallet/tls" -pwd WalletPasswd123 ^C
[oracle@dune ~]$ ls -tlr /tmp/scan-certificate.crt
-rw-------. 1 oracle oinstall 671 Dec 14 20:50 /tmp/scan-certificate.crt
[oracle@dune ~]$
[oracle@dune ~]$ orapki wallet add -wallet "/u01/app/clientwallet/tls" -pwd WalletPasswd123 -trusted_cert -cert /tmp/scan-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@dune ~]$
[oracle@dune ~]$ orapki wallet display -wallet "/u01/app/clientwallet/tls" -pwd WalletPasswd123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=dune
Trusted Certificates:
Subject: CN=racnode-scan.localdomain
Subject: CN=dune
[oracle@dune ~]$Update SQLNET.ORA on SERVER side (on both RAC servers)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet/tls)
)
)
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)Update LISTENER.ORA (on both RAC servers)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet/tls)
)
)Update endpoints on both local and scan:
[oracle@RACnode1 ~]$ srvctl stop listener
[oracle@RACnode1 ~]$ srvctl modify listener -p TCP:1521/TCPS:2484
[oracle@RACnode1 ~]$ srvctl start listener
[oracle@RACnode1 ~]$ srvctl config listener
Name: LISTENER
Type: Database Listener
Network: 1, Owner: oracle
Home: <CRS home>
End points: TCP:1521/TCPS:2484
Listener is enabled.
Listener is individually enabled on nodes:
Listener is individually disabled on nodes:
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ srvctl stop scan_listener
[oracle@RACnode1 ~]$ srvctl stop scan
[oracle@RACnode1 ~]$ srvctl modify scan_listener -p TCP:1521/TCPS:2484
[oracle@RACnode1 ~]$ srvctl start scan
[oracle@RACnode1 ~]$ srvctl start scan_listener
[oracle@RACnode1 ~]$ srvctl config scan_listener
SCAN Listeners for network 1:
Registration invited nodes:
Registration invited subnets:
Endpoints: TCP:1521/TCPS:2484
SCAN Listener LISTENER_SCAN1 exists
SCAN Listener is enabled.
SCAN Listener LISTENER_SCAN2 exists
SCAN Listener is enabled.
SCAN Listener LISTENER_SCAN3 exists
SCAN Listener is enabled.
[oracle@RACnode1 ~]$Validate listeners are listening on new port:
[oracle@RACnode1 ~]$ lsnrctl status | grep -i host
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.24.31)(PORT=2484)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.24.1)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.24.31)(PORT=1521)))
[oracle@RACnode1 ~]$
[oracle@RACnode1 ~]$ lsnrctl status LISTENER_SCAN1 | grep -i host
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.24.41)(PORT=2484)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.24.41)(PORT=1521)))
[oracle@RACnode1 ~]$
[oracle@RACnode2 ~]$ lsnrctl status | grep -i host
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.24.32)(PORT=2484)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.24.2)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.24.32)(PORT=1521)))
[oracle@RACnode2 ~]$
[oracle@RACnode2 ~]$ lsnrctl status LISTENER_SCAN2 | grep -i host
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.24.42)(PORT=2484)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.24.42)(PORT=1521)))
[oracle@RACnode2 ~]$Add tns entries on client side:
test19c_ssl_node1=
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCPS)
(HOST=RACnode1)
(PORT=2484)
)
(CONNECT_DATA=
(SERVER=dedicated)
(SERVICE_NAME=test19c_pdb1)
)
)
test19c_ssl_node2=
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCPS)
(HOST=RACnode2)
(PORT=2484)
)
(CONNECT_DATA=
(SERVER=dedicated)
(SERVICE_NAME=test19c_pdb1)
)
)
test19c_ssl_scan=
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCPS)
(HOST=racnode-scan)
(PORT=2484)
)
(CONNECT_DATA=
(SERVER=dedicated)
(SERVICE_NAME=test19c_pdb1)
)
)Update REMOTE_LISTENER to allow registration on 2484:
SQL> show parameter remote_listener
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string RACnode-scan:1521
SQL> alter system set remote_listener = "RACnode-scan:1521","RACnode-scan:2484";
SQL> ALTER SYSTEM REGISTER;
SQL> show parameter remote_listener
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string RACnode-scan:1521, RACnode-scan:2484Check services are actually registered and READY on SCAN’s: (and not BLOCKED)
[oracle@RACnode1 ~]$ lsnrctl services LISTENER_SCAN1
....
Service "test19c_pdb1" has 2 instance(s).
Instance "test19c1", status READY, has 2 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.24.31)(PORT=1521))
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.24.31)(PORT=2484))
Instance "test19c2", status READY, has 2 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.24.32)(PORT=1521))
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.24.32)(PORT=2484))*As an example of issues on the scan:
[oracle@RACnode1 ~]$ lsnrctl services LISTENER_SCAN1
.....
Service "test19c_pdb1" has 2 instance(s).
Instance "test19c1", status READY, has 2 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.24.31)(PORT=1521))
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.24.31)(PORT=2484))
Instance "test19c2", status READY, has 2 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.24.32)(PORT=1521))
"DEDICATED" established:0 refused:0 state:blocked
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.24.32)(PORT=2484)) <<---- instance 2 in BLOCKED!
The command completed successfully
[oracle@RACnode1 ~]$
** this was because not all wallet files were copied to the second node.Now try to connect:
[oracle@dune ~]$ sqlplus TEST_TLS/TEST_TLS@test19c_ssl_scan
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Dec 15 08:03:38 2025
Version 19.26.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
Last Successful login time: Mon Dec 15 2025 08:03:12 +00:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>
SQL> SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;
NETWORK_PROTOCOL
--------------------------------------------------------------------------------
tcps
Now lets see how wireshark sees the packages:
[root@RACnode1 ~]# yum install -y wireshark
[root@RACnode1 ~]# tshark -i any -d "tcp.port==2484,ssl" -V -a duration:5 2> /dev/null | egrep "Cipher Suites \(|Cipher Suite:|^ Version: |SSL Record Layer: Handshake Protocol: Client Hello|Handshake Protocol: Server Hello|Record Layer"| uniq | sed -e "s/(0x.*)//g" -e "s/.*SSL Record Layer: Handshake Protocol: Client Hello/Client requested:/g" -e "s/.*Version:/ Protocol Version:/g" -e "s/.*Cipher Suites / Cipher Suites Requested:/g" -e "s/.*Handshake Protocol: Server Hello/Server replied with:/g" |egrep -v "Server replied with: Done" &Connect from client using 2484:
[oracle@dune ~]$ sqlplus TEST_TLS/TEST_TLS@test19c_ssl_node1
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Dec 15 10:10:31 2025
Version 19.26.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
Last Successful login time: Mon Dec 15 2025 10:04:06 +00:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> Now on the server side, terminal will show t this:
[root@RACnode1 ~]# Client requested:
Protocol Version: TLS 1.2
Cipher Suites Requested:(3 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Server replied with:
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Application Data Protocol: Application Data
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Protocol Version: TLS 1.2
Cipher Suites Requested:(3 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Server replied with:
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Application Data Protocol: Application Data
[root@RACnode1 ~]# Client requested:
Protocol Version: TLS 1.2
Cipher Suites Requested:(3 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Server replied with:
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Application Data Protocol: Application Data
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Protocol Version: TLS 1.2
Cipher Suites Requested:(3 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Now, lets change SSL_CIPHER_SUITES on SERVER side to NOT match what the client is requesting:
[oracle@RACnode1 admin]$ grep SSL_CIPHER_SUITES sqlnet.ora
#SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
SSL_CIPHER_SUITES = (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
[oracle@RACnode1 admin]$
Try to connect and see capture:
[oracle@dune ~]$ sqlplus TEST_TLS/TEST_TLS@test19c_ssl_node1
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Dec 15 10:22:42 2025
Version 19.26.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
ERROR:
ORA-28860: Fatal SSL error
Enter user-name:
We can see the failure on the capture now:
[root@RACnode1 ~]# Client requested:
Protocol Version: TLS 1.2
Cipher Suites Requested:(3 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Server replied with:
Server replied with:
Protocol Version: TLS 1.2
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
TLSv1.2 Record Layer: Application Data Protocol: Application Data
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Protocol Version: TLS 1.2
Cipher Suites Requested:(3 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
That’s it! test done
Comments