14.9 Configuring SNI for TLS connections
Oracle Net Services supports Server Name Indication (SNI) in order to minimize the time taken to establish client-server connection. When SNI is set, the listener forwards the connection request from client to an appropriate server without performing a TLS handshake, thereby reducing the overall connection establishment time.
Client can use Server Name Indication (SNI) which is a TLS extension to send the relevant CONNECT_DATA
information such as the SERVICE_NAME
to listener. The listener then obtains the requested connect data from SNI field of the first packet and forwards the connection request to an appropriate service handler to service the request without doing a TLS handshake with the client. The client then performs a full TLS handshake with the server and establishes the connection directly.
This optimization saves one TLS handshake between the client and the listener which otherwise involves 1-RTT data transfer and certain amount of processing, hence minimizing the overall time taken to establish connection with the server.
USE_SNI
parameter in sqlnet.ora. When SNI is enabled, the CONNECT_DATA
parameter in the client's connect string can be used to set the SNI value. The list of supported CONNECT_DATA
parameters for setting the connection's SNI value include:
SERVICE_NAME
INSTANCE_NAME
SERVER
COLOCATION_TAG
CONNECT_DATA
, then those parameters are used to set the SNI value. If none of the parameters from the supported list are part of CONNECT_DATA
, then SNI value will not be set for the connection and the listener will perform the usual TLS handshake with the client to get the connect request.
SNI is enabled by default in listener and Oracle Connection Manager (CMAN). Hence, you need not set USE_SNI
parameter explicitly in listener.ora
or cman.ora
. In case you set the USE_SNI
parameter explicitly in cman.ora
, then the gateway process will also set the SNI value in outgoing connection.
Under certain cases where additional security of DN matching is required or configured in CMAN, SNI will be disabled and CMAN’s listener will follow the usual process of performing TLS handshake with the client.
Note:
Support for SNI is available in all versions starting 23.7, but not in earlier versions.Related Topics
Parent topic: Optimizing Performance