Oracle JDBC Driver Does Not Allow TLS 1.2 On LDAPS Connection (Doc ID 2447000.1)

Last updated on JANUARY 04, 2023

Applies to:

Symptoms

LDAPS is being used with JDBC 12.1.0.2 thin driver. URL format : (jdbc:oracle:thin:@ldaps://<LDAP HOSTNAME>:<LDAP SSL PORT>/<DATABASE SERVICE NAME>,<LDAP CONTEXT>).

Configuration is done with:

    oracle.net.ssl_cipher_suites=(TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV).

However, the JDBC driver is ignoring this configuration and is trying to connect with default one as shown below: 

            TLS_DHanon_WITH_3DES_EDE_CC_SHA 

Connection using JDBC thin driver with TLS 1.2 works successfully, but fails with LDAPS protocol with the following observations:

-              default JVM cacerts truststore gets loaded (ignores javax.net.ssl.trustStore) 
-              JDBC client connects using SSLv2' instead of TLS 1.2 (ignores oracle.net.ssl_version) 
-              JDBC client only offers cipher suite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA  (ignores oracle.net.ssl_cipher_suites) 

This is observed when looking at the network activity using WireShark, where it is seen that the LDAPS connection is not established using the security settings configured using the JDBC properties (TLS 1.2 + AES/CGM cipher).
The TCPS connection itself is established as expected.

JDBC connection may fail with exception:

java.lang.NullPointerException
at oracle.net.jndi.JndiAttrs.getAttrs(JndiAttrs.java:215)
at oracle.net.resolver.AddrResolution.<init>(AddrResolution.java:238)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:234)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.