Oracle JDBC Security

ALLOWED_LOGON_VERSION_SERVER

The default behavior of Oracle database is to support connections coming from Oracle clients with lower, less secure versions of the authentication protocol. Since the negotiation process is seamless, there is no alert for the degradation of security if the database adjusts to a less secure client. There is a sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to set the minimum authentication protocol allowed when connecting to Oracle Database instances. If the database client doesn’t support the defined authentication protocol, the error ORA-28040: No matching authentication protocol will be returned to the client.

I set different values for the SQLNET.ALLOWED_LOGON_VERSION_SERVER on a 12.2.0.1 database and tested various Oracle clients to find out which versions of the authentication protocols are effectively used by different clients. I repeated the tests for JDBC and instant clients and was surprised to find out that JDBC uses sometimes less secure authentication protocols than the regular and instant clients of the same version.

JDBC

If you would like to test for yourself I’m providing the java class saved in ConnectDB.java:

import java.sql.DriverManager;
import java.sql.Connection;
import java.sql.SQLException;

public class ConnectDB {
    public static void main(String[] argv) {
        try {
            Class.forName("oracle.jdbc.driver.OracleDriver");
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
            return;
        }

	try {
            connection = DriverManager.getConnection(
                "jdbc:oracle:thin:@localhost:1521:DB", "user", "password");
        } catch (SQLException e) {
            e.printStackTrace();
            return;
        }
    }
}

Compile the class with the following command:

javac ConnectDB.java

And run it like this:

java  -cp .:./ojdbc7.jar ConnectDB

Test Results

The following table provides an overview of the authentication protocol versions supported by various Oracle clients:

Client VersionTypeProtocol Version
12.2.0.1regular12a
12.2.0.1instant12a
12.2.0.1JDBC12a
12.1.0.2regular12a
12.1.0.2instant12a
12.1.0.2JDBC12
12.1.0.1regular12
12.1.0.1instant12
12.1.0.1JDBC12
11.2.0.4regular12
11.2.0.4instant12
11.2.0.4JDBC12
10.2.0.5instant11
10.2.0.5JDBC8

The JDBC drivers which support lower versions of the authentication protocol than the regular and instant clients of the same version are marked red. Note that the authentication protocol version doesn’t necessarily correspond to the database version.

Below are some conclusions derived from the table above:

  • The good news is that the JDBC driver of the currently latest relase 12.2.0.1 support the currently latest version (12a) of the authentication protocol. Therefore, it is best to upgrade all of the clients when you upgrade the database.
  • Unlike regular and instant client, the JDBC client 12.1.0.2 doesn’t support 12a version of the authentication protocol.
  • JDBC client 10.2.0.5 supports only the version 8 of the authentication protocol, whereas the instant client of the same version supports 11.

Upgrades

The following table shows the default lowest authentication protocol accepted by different database releases .

Database VersionAuthentication Protocol Version
11.28
12.111
12.212

This means that if you upgrade to 12.1 and have some JDBC 10.2 clients around they’ll start getting ORA-28040: No matching authentication protocol when trying to connect to the database, because by default the database instance will reject connections using the authentication protocol of version 8. In this case, you can set SQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 as a workaround until you replace the old the JDBC drivers with the new ones. For security reasons this should be done as soon as possible.

Nenad Noveljic

Leave a Reply

Your email address will not be published. Required fields are marked *