How Transport Layer Security Works in an Oracle Environment: The TLS Handshake

When a network connection over Transport Layer Security is initiated, the client and server perform a TLS handshake before performing the authentication.

The handshake process is as follows:

  1. The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers.

  2. The server sends its certificate to the client, and the client verifies that the server’s certificate was signed by a trusted CA. This step verifies the identity of the server.

  3. Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client’s certificate was signed by a trusted CA.

  4. The client and server exchange key information using public key cryptography. Based on this information, each generates a session key. A key is shared by at least two parties (usually a client and a server) that is used for data encryption for the duration of a single communication session. Session keys are typically used to encrypt network traffic; a client and a server can negotiate a session key at the beginning of a session, and that key is used to encrypt all network traffic between the parties for that session. If the client and server communicate again in a new session, they negotiate a new session key. All subsequent communications between the client and the server is encrypted and decrypted by using this session key and the negotiated cipher suite.

The authentication process is as follows:

  1. On a client, the user initiates an Oracle Net connection to the server by using TLS.

  2. TLS performs the handshake between the client and the server.

  3. If the handshake is successful, then the server verifies that the user has the appropriate authorization to access the database.