ALLOWED_LOGON_VERSION_SERVER
The default behavior of Oracle database is to support connections coming from Oracle clients with lower, less secure versions of the authentication protocol. Since the negotiation process is seamless, there is no alert for the degradation of security if the database adjusts to a less secure client. There is a sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to set the minimum authentication protocol allowed when connecting to Oracle Database instances. If the database client doesn’t support the defined authentication protocol, the error ORA-28040: No matching authentication protocol will be returned to the client.
I set different values for the SQLNET.ALLOWED_LOGON_VERSION_SERVER on a 12.2.0.1 database and tested various Oracle clients to find out which versions of the authentication protocols are effectively used by different clients. I repeated the tests for JDBC and instant clients and was surprised to find out that JDBC uses sometimes less secure authentication protocols than the regular and instant clients of the same version.
JDBC
If you would like to test for yourself I’m providing the java class saved in ConnectDB.java:
import java.sql.DriverManager;
import java.sql.Connection;
import java.sql.SQLException;
public class ConnectDB {
public static void main(String[] argv) {
try {
Class.forName("oracle.jdbc.driver.OracleDriver");
} catch (ClassNotFoundException e) {
e.printStackTrace();
return;
}
try {
connection = DriverManager.getConnection(
"jdbc:oracle:thin:@localhost:1521:DB", "user", "password");
} catch (SQLException e) {
e.printStackTrace();
return;
}
}
}Compile the class with the following command:
javac ConnectDB.javaAnd run it like this:
java -cp .:./ojdbc7.jar ConnectDBTest Results
The following table provides an overview of the authentication protocol versions supported by various Oracle clients:
| Client Version | Type | Protocol Version |
|---|---|---|
| 12.2.0.1 | regular | 12a |
| 12.2.0.1 | instant | 12a |
| 12.2.0.1 | JDBC | 12a |
| 12.1.0.2 | regular | 12a |
| 12.1.0.2 | instant | 12a |
| 12.1.0.2 | JDBC | 12 |
| 12.1.0.1 | regular | 12 |
| 12.1.0.1 | instant | 12 |
| 12.1.0.1 | JDBC | 12 |
| 11.2.0.4 | regular | 12 |
| 11.2.0.4 | instant | 12 |
| 11.2.0.4 | JDBC | 12 |
| 10.2.0.5 | instant | 11 |
| 10.2.0.5 | JDBC | 8 |
The JDBC drivers which support lower versions of the authentication protocol than the regular and instant clients of the same version are marked red. Note that the authentication protocol version doesn’t necessarily correspond to the database version.
Below are some conclusions derived from the table above:
- The good news is that the JDBC driver of the currently latest relase 12.2.0.1 support the currently latest version (12a) of the authentication protocol. Therefore, it is best to upgrade all of the clients when you upgrade the database.
- Unlike regular and instant client, the JDBC client 12.1.0.2 doesn’t support 12a version of the authentication protocol.
- JDBC client 10.2.0.5 supports only the version 8 of the authentication protocol, whereas the instant client of the same version supports 11.
Upgrades
The following table shows the default lowest authentication protocol accepted by different database releases .
| Database Version | Authentication Protocol Version |
|---|---|
| 11.2 | 8 |
| 12.1 | 11 |
| 12.2 | 12 |
This means that if you upgrade to 12.1 and have some JDBC 10.2 clients around they’ll start getting ORA-28040: No matching authentication protocol when trying to connect to the database, because by default the database instance will reject connections using the authentication protocol of version 8. In this case, you can set SQLNET.ALLOWED_LOGON_VERSION_SERVER to 8 as a workaround until you replace the old the JDBC drivers with the new ones. For security reasons this should be done as soon as possible.
One Comment