Certificate error while using TLS and SCAN #415
Comments
anthony-tuininga
added
question
|
I don't believe this is a bug.
The code is currently making use of Python's SSL context server name validation. The fact that JDBC and Oracle thick client are happy with using the alternative name doesn't really say that Python's approach is wrong! Can you explain further why you believe that Python's SSL context server name validation is incorrect? And why do you not want to use the officially registered name? |
|
I am not sure if I explained correctly. With JDBC and thick client, both
the registered name and alternate names work
With python oracledb, only alternate names work. Registered name does not
work.
…On Fri, Nov 1, 2024 at 2:00 PM Anthony Tuininga ***@***.***> wrote:
I don't believe this is a bug.
We only get the error if using the cluster_scan (to which the SSL
certificate is issued). The cluster_scan has cnames that are defined as
subject alternate names in the certificate request. The code completes
successfully if using the cname for cluster_scan.
We are not getting any errors while using JDBC or Oracle thick client
configuration using either the cluster_scan or its cnames. So, we know the
certificate is valid.
The code is currently making use of Python's SSL context server name
validation. The fact that JDBC and Oracle thick client are happy with using
the alternative name doesn't really say that Python's approach is wrong!
Can you explain further why you believe that Python's SSL context server
name validation is incorrect? And why do you not want to use the officially
registered name?
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFOVEQJN33BVTQVA7Z3Z6PTYTAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSGU4DGOBWGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
This is the relevant Python documentation. When you set |
|
We can make this an enhancement request. I just did not understand why,
with DN match, alternate names would work but not the registered name. In
the meantime, I will try to see if adding the registered name as an
alternate name would work.
Thank you
…On Fri, Nov 1, 2024 at 3:47 PM Anthony Tuininga ***@***.***> wrote:
This is the relevant Python documentation
<https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname>.
When you set ssl_server_dn_match, this enables hostname checking and that
is the issue you are running into. The python-oracledb implementation does
not do anything more than enable that flag. I understand that the JDBC and
thick client do something different. I assume you are asking for thin mode
to implement something different? You can also diasble ssl_server_dn_match
or create your own ssl_context parameter which does what you wish it to
do. If that isn't acceptable, we can make this an enhancement request
instead. Thoughts?
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFIIUSLBGCDFVWOA5PLZ6QAGXAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSGY4DKNZXG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
anthony-tuininga
added
enhancement
|
@shaunmugam what's the exact 19c DB version you have? |
|
19.23.0.0.0
…On Fri, Nov 1, 2024 at 4:19 PM Christopher Jones ***@***.***> wrote:
@shaunmugam <https://github.com/shaunmugam> what's the exact 19c DB
version you have?
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFN4OJGDLNCYV4HIRQTZ6QEAHAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSG4YDSNJYHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Also this was not an issue with cx_Oracle
On Fri, Nov 1, 2024 at 4:28 PM Shanmugam Murugappan <
***@***.***> wrote:
… 19.23.0.0.0
On Fri, Nov 1, 2024 at 4:19 PM Christopher Jones ***@***.***>
wrote:
> @shaunmugam <https://github.com/shaunmugam> what's the exact 19c DB
> version you have?
>
> —
> Reply to this email directly, view it on GitHub
> <#415 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/BMTEBFN4OJGDLNCYV4HIRQTZ6QEAHAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSG4YDSNJYHE>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
cx_Oracle and python-oracledb Thick are really the same thing - all the DB connectivity is handled in Oracle Client libraries. I get your point that if some environments work, other environments might also be expected to. However if those environments have different levels of support for some technologies or options, than it may not be possible. Let us know what you find about adding the registered name as an alternate name. We'll also check with the Oracle Net Services team and see what they might suggest. |
|
Thank you so much for your patience and your explanation. I will try the
other option next week and get back to you with what I find.
…On Fri, Nov 1, 2024 at 6:32 PM Christopher Jones ***@***.***> wrote:
cx_Oracle and python-oracledb Thick are really the same thing - all the DB
connectivity is handled in Oracle Client libraries.
I get your point that if some environments work, other environments might
also be expected to. However if those environments have different levels of
support for some technologies or options, than it may not be possible.
Let us know what you find about adding the registered name as an alternate
name.
We'll also check with the Oracle Net Services team and see what they might
suggest.
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFOKYE2RGYZYDSF4K7LZ6QTSXAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSG44DOMBVGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@shaunmugam to help us understand user requirements, I would be interested to know your specific reason(s) for preferring Thin mode over Thick mode. I am imagining you have a large Oracle environment. In particular do you not want to use AQ or Application Continuity/TAC, which aren't available in Thin mode? Or do you already use Thick mode where it has features you need? |
|
Hello,
We have a large Oracle environment. We have hundreds of applications
connecting to these and each development team pick a tool of our choice. We
do want to standardize what these teams use to connect to our DBs. But
unfortunately we do not have that standard yet and so we have many ways
that apps connect to our DBs. We do want to use AC at a future date but we
don’t have it now
…On Fri, Nov 1, 2024 at 8:15 PM Christopher Jones ***@***.***> wrote:
@shaunmugam <https://github.com/shaunmugam> to help us understand user
requirements, I would be interested to know your specific reason(s) for
preferring Thin mode over Thick mode. I am imagining you have a large
Oracle environment. In particular do you not want to use AQ or Application
Continuity/TAC, which aren't available in Thin mode? Or do you already use
Thick mode where it has features you need?
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFPKDZBR42NQTC4XSSLZ6Q7UHAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSHAZDONZWGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I have pushed a patch that adds this support and have initated a build from which you can download pre-built development wheels once it completes. You can also build from source if you prefer. If you can test your scenario and confirm the patch works as expected, that would be appreciated! |
|
Hello,
I will check with our dev team and have them apply this patch and test.
Thanks,
Shan
…On Fri, Nov 8, 2024 at 9:52 AM Anthony Tuininga ***@***.***> wrote:
I have pushed a patch that adds this support and have initated a build
<https://github.com/oracle/python-oracledb/actions/runs/11747035390> from
which you can download pre-built development wheels once it completes. You
can also build from source
<https://python-oracledb.readthedocs.io/en/latest/user_guide/installation.html#installing-from-source-code>
if you prefer. If you can test your scenario and confirm the patch works as
expected, that would be appreciated!
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFIWJSAK4TVUQC33KYDZ7T25PAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRVGQZDSNBYHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@shaunmugam any update? |
|
Hello Christopher,
We have limitations on how we can patch python on our company machines.
I have requested a development person to check this. I will follow-up today.
We did try adding the SCAN name as a SAN and it did not work. But I
have not tried the patch yet.
Thanks,
Shan
…On Sun, Nov 24, 2024 at 8:52 PM Christopher Jones ***@***.***> wrote:
@shaunmugam <https://github.com/shaunmugam> any update?
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFPG3LAVPZ2LWJ2YLDD2CKUJHAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJWHAZDCNRVGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Sorry for the delay in my reply. Just wanted to update that the fix you
provided worked. Thank you so much. Can this fix be incorporated in future
versions?
Happy holidays. Thank you again.
On Mon, Nov 25, 2024 at 9:02 AM Shanmugam Murugappan <
***@***.***> wrote:
… Hello Christopher,
We have limitations on how we can patch python on our company
machines. I have requested a development person to check this. I will
follow-up today.
We did try adding the SCAN name as a SAN and it did not work. But I
have not tried the patch yet.
Thanks,
Shan
On Sun, Nov 24, 2024 at 8:52 PM Christopher Jones <
***@***.***> wrote:
> @shaunmugam <https://github.com/shaunmugam> any update?
>
> —
> Reply to this email directly, view it on GitHub
> <#415 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/BMTEBFPG3LAVPZ2LWJ2YLDD2CKUJHAVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJWHAZDCNRVGU>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
Glad to hear that it worked as you expected! Yes, it will be included in the next version that is released. The exact timing is still being determined yet, though! |
|
Thank you so much for your help
…On Thu, Dec 26, 2024 at 8:36 AM Anthony Tuininga ***@***.***> wrote:
Glad to hear that it worked as you expected! Yes, it will be included in
the next version that is released. The exact timing is still being
determined yet, though!
—
Reply to this email directly, view it on GitHub
<#415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BMTEBFNO36VQSMPHGUOHPH32HQWB5AVCNFSM6AAAAABRA52U5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRSHEZTONZZGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Oracle 19c database
oracledb 2.4.1
import oracledb as cx
dsn_tns='(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcps)(HOST = cluster-scan)(PORT = 2484))) (CONNECT_DATA = (SERVICE_NAME = db_service))(security=(ssl_server_dn_match=yes)))'
sql = """SELECT sys_context('USERENV', 'NETWORK_PROTOCOL'), ora_database_name FROM dual"""
conn = cx.connect(user='myuser', password='mypass', dsn=dsn_tns)
cursor = conn.cursor()
result = cursor.execute(sql)
for row in result:
print(row)
Output:
PS C:\Users\cn131304\OneDrive - Centene Corporation\Documents\learning\python> & "C:/Program Files/Python311/python.exe" "c:/Users/cn131304/OneDrive - Centene Corporation/Documents/learning/python/ora2.py"
Traceback (most recent call last):
File "src\oracledb\impl/thin/connection.pyx", line 322, in oracledb.thin_impl.ThinConnImpl._connect_with_address
File "src\oracledb\impl/thin/protocol.pyx", line 225, in oracledb.thin_impl.Protocol._connect_phase_one
File "src\oracledb\impl/thin/protocol.pyx", line 380, in oracledb.thin_impl.Protocol._connect_tcp
File "src\oracledb\impl/thin/transport.pyx", line 244, in oracledb.thin_impl.Transport.negotiate_tls
File "C:\Program Files\Python311\Lib\ssl.py", line 517, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python311\Lib\ssl.py", line 1075, in _create
self.do_handshake()
File "C:\Program Files\Python311\Lib\ssl.py", line 1346, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'cluster_scan'. (_ssl.c:992)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "c:\Users\cn131304\OneDrive - Centene Corporation\Documents\learning\python\ora2.py", line 7, in
conn = cx.connect(user='a_cn131304', password='mypass', dsn=dsn_tns)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\cn131304\AppData\Roaming\Python\Python311\site-packages\oracledb\connection.py", line 1169, in connect
return conn_class(dsn=dsn, pool=pool, params=params, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\cn131304\AppData\Roaming\Python\Python311\site-packages\oracledb\connection.py", line 551, in init
impl.connect(params_impl)
File "src\oracledb\impl/thin/connection.pyx", line 424, in oracledb.thin_impl.ThinConnImpl.connect
File "src\oracledb\impl/thin/connection.pyx", line 420, in oracledb.thin_impl.ThinConnImpl.connect
File "src\oracledb\impl/thin/protocol.pyx", line 380, in oracledb.thin_impl.Protocol._connect_tcp
File "src\oracledb\impl/thin/connection.pyx", line 361, in oracledb.thin_impl.ThinConnImpl._connect_with_description
File "src\oracledb\impl/thin/connection.pyx", line 331, in oracledb.thin_impl.ThinConnImpl._connect_with_address
File "C:\Users\cn131304\AppData\Roaming\Python\Python311\site-packages\oracledb\errors.py", line 195, in _raise_err
raise error.exc_type(error) from cause
oracledb.exceptions.OperationalError: DPY-6005: cannot connect to database (CONNECTION_ID=mF4qb0/Xnv/m66jKv3Lz1w==).
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'cluster_scan'. (_ssl.c:992)
Error
We only get the error if using the cluster_scan (to which the SSL certificate is issued). The cluster_scan has cnames that are defined as subject alternate names in the certificate request. The code completes successfully if using the cname for cluster_scan.
We are not getting any errors while using JDBC or Oracle thick client configuration using either the cluster_scan or its cnames. So, we know the certificate is valid.
PS C:\Users\cn131304\OneDrive - Centene Corporation\Documents\learning\python> & "C:/Program Files/Python311/python.exe" "c:/Users/cn131304/OneDrive - Centene Corporation/Documents/learning/python/ora2.py"
Traceback (most recent call last):
File "src\oracledb\impl/thin/connection.pyx", line 322, in oracledb.thin_impl.ThinConnImpl._connect_with_address
File "src\oracledb\impl/thin/protocol.pyx", line 225, in oracledb.thin_impl.Protocol._connect_phase_one
File "src\oracledb\impl/thin/protocol.pyx", line 380, in oracledb.thin_impl.Protocol._connect_tcp
File "src\oracledb\impl/thin/transport.pyx", line 244, in oracledb.thin_impl.Transport.negotiate_tls
File "C:\Program Files\Python311\Lib\ssl.py", line 517, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python311\Lib\ssl.py", line 1075, in _create
self.do_handshake()
File "C:\Program Files\Python311\Lib\ssl.py", line 1346, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'cluster_scan'. (_ssl.c:992)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "c:\Users\cn131304\OneDrive - Centene Corporation\Documents\learning\python\ora2.py", line 7, in
conn = cx.connect(user='a_cn131304', password='%0qwxAwFj3M).Jt9)}2oIz<p', dsn=dsn_tns)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\cn131304\AppData\Roaming\Python\Python311\site-packages\oracledb\connection.py", line 1169, in connect
return conn_class(dsn=dsn, pool=pool, params=params, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\cn131304\AppData\Roaming\Python\Python311\site-packages\oracledb\connection.py", line 551, in init
impl.connect(params_impl)
File "src\oracledb\impl/thin/connection.pyx", line 424, in oracledb.thin_impl.ThinConnImpl.connect
File "src\oracledb\impl/thin/connection.pyx", line 420, in oracledb.thin_impl.ThinConnImpl.connect
File "src\oracledb\impl/thin/protocol.pyx", line 380, in oracledb.thin_impl.Protocol._connect_tcp
File "src\oracledb\impl/thin/connection.pyx", line 361, in oracledb.thin_impl.ThinConnImpl._connect_with_description
File "src\oracledb\impl/thin/connection.pyx", line 331, in oracledb.thin_impl.ThinConnImpl._connect_with_address
File "C:\Users\cn131304\AppData\Roaming\Python\Python311\site-packages\oracledb\errors.py", line 195, in _raise_err
raise error.exc_type(error) from cause
oracledb.exceptions.OperationalError: DPY-6005: cannot connect to database (CONNECTION_ID=mF4qb0/Xnv/m66jKv3Lz1w==).
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'cluster_scan'. (_ssl.c:992)
No. Using thin mode
import oracledb as cx
dsn_tns='(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcps)(HOST = cluster_scan)(PORT = 2484))) (CONNECT_DATA = (SERVICE_NAME = db_service))(security=(ssl_server_dn_match=yes)))'
sql = """SELECT sys_context('USERENV', 'NETWORK_PROTOCOL'), ora_database_name FROM dual"""
conn = cx.connect(user='myuser', password='mypass', dsn=dsn_tns)
cursor = conn.cursor()
result = cursor.execute(sql)
for row in result:
print(row)
The text was updated successfully, but these errors were encountered: