Prevent auto security injection on TCPS URLs #623
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Vipinofficial11
force-pushed
the
tcps-tns-descriptor
branch
from
4b71a56 to
5e320ab
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
The Oracle Thin driver automatically enforces an unwanted security default when connecting via the simple TCPS URL format (
jdbc:oracle:thin:@tcps://...). This results in an automatic security injection ofSSL_SERVER_DN_MATCH=TRUEinto the connection string, which overrides custom security settings (SSL_SERVER_DN_MATCH=FALSE), causing TLS connections to fail due to a forced hostname mismatch even when hostname matching is disabled.Root Cause
The Oracle driver's easy connect URL parser attempts to convert the simple
tcps://format into the verbose TNS descriptor format ((DESCRIPTION=...)). During this internal transformation, it prioritizes baking in its own secure defaults, corrupting our explicit certificate verification configuration.Proposed Fix
We will bypass the automatic URL parser by ensuring that whenever the TCPS protocol is selected (in either service or sid mode), the application generates the full verbose TNS descriptor string itself.
This change prevents the driver from performing the unwanted transformation, allowing our per-connection properties (including
SSL_SERVER_DN_MATCH=FALSE) to be correctly honored for secure Private CA connections.