14.9 Configuring SNI for TLS connections

Oracle Net Services supports Server Name Indication (SNI) in order to minimize the time taken to establish client-server connection. When SNI is set, the listener forwards the connection request from client to an appropriate server without performing a TLS handshake, thereby reducing the overall connection establishment time.

Client can use Server Name Indication (SNI) which is a TLS extension to send the relevant CONNECT_DATA information such as the SERVICE_NAME to listener. The listener then obtains the requested connect data from SNI field of the first packet and forwards the connection request to an appropriate service handler to service the request without doing a TLS handshake with the client. The client then performs a full TLS handshake with the server and establishes the connection directly.

This optimization saves one TLS handshake between the client and the listener which otherwise involves 1-RTT data transfer and certain amount of processing, hence minimizing the overall time taken to establish connection with the server.

You can enable SNI in the client by setting the USE_SNI parameter in sqlnet.ora. When SNI is enabled, the CONNECT_DATA parameter in the client's connect string can be used to set the SNI value. The list of supported CONNECT_DATA parameters for setting the connection's SNI value include:

• SERVICE_NAME
• INSTANCE_NAME
• SERVER
• COLOCATION_TAG

If client's connect string has any of these parameters as part of CONNECT_DATA, then those parameters are used to set the SNI value. If none of the parameters from the supported list are part of CONNECT_DATA, then SNI value will not be set for the connection and the listener will perform the usual TLS handshake with the client to get the connect request.

SNI is enabled by default in listener and Oracle Connection Manager (CMAN). Hence, you need not set USE_SNI parameter explicitly in listener.ora or cman.ora. In case you set the USE_SNI parameter explicitly in cman.ora, then the gateway process will also set the SNI value in outgoing connection.

Under certain cases where additional security of DN matching is required or configured in CMAN, SNI will be disabled and CMAN’s listener will follow the usual process of performing TLS handshake with the client.

Note:

Support for SNI is available in all versions starting 23.7, but not in earlier versions.