Connecting to cloud instance with TLS without wallet dir? (One way TLS)

[victorien-a]

In our setup, the wallet have been disabled to use only TLS authentication.
I do have the JDBC example here: (That exact string works using JDBC connectors)

jdbc:oracle:thin:@(jdbc := "(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=" + viper.GetString("ORACLE_SERVER") + "))(connect_data=(service_name=" + viper.GetString("ORACLE_SERVICE") + "))(security=(ssl_server_dn_match=yes)))"

And code that works with python :

cs = '''(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port={port})(host={host}))(connect_data=(service_name={sn}))(security=(ssl_server_dn_match=yes)))'''.format(
    host=DB.HOST,
    port=DB.PORT,
    sn=DB.SERVICE_NAME
        )
 
with oracledb.connect(user=un, password=pw, dsn=cs) as connection:
    with connection.cursor() as cursor:....

I tried to use the build URL with from JDBC string but still no lock, I get a timeout error, it seems it is still dialing in tcp rather than tcps (because there is no wallet var?).

These are my params:

urlOptions := map[string]string{
	"TRACE FILE": "trace.log",
	"AUTH TYPE":  "TCPS",
	"SSL":        "TRUE",
	"SSL VERIFY": "TRUE",
}

This seems to be a different auth method than the normal TLS + wallet dir? Or is there something else in the wallet dir than the certificates that is needed as well?

I tried to play around with the package a bit but no luck..

EDIT:

I read a bit from the python documentation and basically this is what I try to acheive:
https://python-oracledb.readthedocs.io/en/latest/user_guide/connection_handling.html#one-way-tls-connection-to-oracle-autonomous-database

https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/connect-jdbc-thin-tls.html#GUID-364DB7F0-6F4F-4C42-9395-4BA4D09F0483

[victorien-a]

Related issue in python client:
oracle/python-oracledb#65

oracle/python-oracledb@bb69402

[victorien-a]

Fixed it,

I needed to modify the negociate function (session.go)

// negotiate it is a step in SSL communication in which tcp connection is
// used to create sslConn object
func (session *Session) negotiate() {
	connOption := session.Context.ConnOption
	if session.SSL.roots == nil && len(session.SSL.Certificates) > 0 {
		session.SSL.roots = x509.NewCertPool()
		for _, cert := range session.SSL.Certificates {
			session.SSL.roots.AddCert(cert)
		}
	}
	host := connOption.GetActiveServer(false)
	config := &tls.Config{
		ServerName: host.Addr,
	}

	if len(session.SSL.tlsCertificates) > 0 {
		config.Certificates = session.SSL.tlsCertificates
	}

	if session.SSL.roots != nil {
		config.RootCAs = session.SSL.roots
	}

	if !connOption.SSLVerify {
		config.InsecureSkipVerify = true
	}

	session.sslConn = tls.Client(session.conn, config)
}

[victorien-a]

That way we dont have certificate error and it seems to work well even with GORM

[victorien-a]

Made a PR to fix this:

1fb68f9