Cannot connect to Oracle 19c througth TLS

[h30306]

Environment

• Database image: oracle/adb-free (Oracle 19c Free)
• Server OS: Oracle Linux 8 (container)
• Client: Python 3.12 + oracledb 3.1 on macOS
  (same issue reproduced on Ubuntu 22.04)

Goal

Configure one‑way TLS (TCPS port 2484) so that the Python client
verifies the server certificate issued from the DB wallet.

What I did on the server

# 1. Create server wallet & self‑signed cert
orapki wallet create -wallet $ORACLE_HOME/wallet -pwd oracle01 -auto_login
orapki wallet add    -wallet $ORACLE_HOME/wallet -pwd oracle01 \
                     -dn "CN=$(hostname -s)" -keysize 2048 \
                     -self_signed -validity 7300

# 2. Export the cert for the client
orapki wallet export -wallet $ORACLE_HOME/wallet -pwd oracle01 \
                     -dn "CN=$(hostname -s)" \
                     -cert $ORACLE_HOME/wallet/$(hostname -s).cert
                     
# 3. Listener with TCPS
cat > $ORACLE_HOME/network/admin/listener.ora <<'EOF'
LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
    )
  )

WALLET_LOCATION =
  (SOURCE = (METHOD = FILE)
            (METHOD_DATA = (DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)))
SSL_CLIENT_AUTHENTICATION = FALSE
EOF

# 4. sqlnet.ora
cat > $ORACLE_HOME/network/admin/sqlnet.ora <<'EOF'
SSL_VERSION = 1.2
WALLET_LOCATION =
  (SOURCE = (METHOD = FILE)
            (METHOD_DATA = (DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)))
EOF

# 5. Build a *trust* wallet that contains only the server cert
orapki wallet create -wallet /tmp/client_wallet -auto_login
orapki wallet add    -wallet /tmp/client_wallet \
                     -trusted_cert -cert adb19cfree-oracle-db-0.cert
# 6. Convert to PEM for Python ssl
openssl pkcs12 -in /tmp/client_wallet/ewallet.p12 \
               -out /tmp/client_wallet/ewallet.pem -nokeys

The listerner stataus on server side

[oracle@adb19cfree-oracle-db-0 ~]$ lsnrctl status

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 06-MAY-2025 02:35:21

Copyright (c) 1991, 2019, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=0.0.0.0)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date                05-MAY-2025 06:45:49
Uptime                    0 days 19 hr. 49 min. 32 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/oracle/diag/tnslsnr/adb19cfree-oracle-db-0/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=2484)))
Services Summary...
Service "ORCLCDB" has 1 instance(s).
  Instance "ORCLCDB", status READY, has 1 handler(s) for this service...
Service "ORCLCDBXDB" has 1 instance(s).
  Instance "ORCLCDB", status READY, has 1 handler(s) for this service...
The command completed successfully

What I did on the client side

I copy the wallet from server side cuz my client side don't have oracle env

kubectl cp adb19cfree-oracle-db-0:/tmp/client_wallet ~/wallet

Python test script

import ssl, oracledb

params = oracledb.ConnectParams(
    user="system",
    password="xxx",
    host="adb19cfree-oracle-db-0",
    port=2484,
    service_name="ORCLCDB",
    protocol="tcps",
    wallet_location="~/wallet",
    ssl_version=ssl.TLSVersion.TLSv1_2,
)
conn = oracledb.connect(params=params)
print("✓ connected – DB version:", conn.version)

Error MSG

Traceback (most recent call last):
  File "src/oracledb/impl/thin/connection.pyx", line 358, in oracledb.thin_impl.ThinConnImpl._connect_with_address
  File "src/oracledb/impl/thin/protocol.pyx", line 281, in oracledb.thin_impl.Protocol._connect_phase_one
  File "src/oracledb/impl/thin/transport.pyx", line 277, in oracledb.thin_impl.Transport.renegotiate_tls
  File "src/oracledb/impl/thin/transport.pyx", line 262, in oracledb.thin_impl.Transport.negotiate_tls
  File "/Users/howardchung/miniforge3/envs/XDG/lib/python3.12/ssl.py", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/howardchung/miniforge3/envs/XDG/lib/python3.12/ssl.py", line 1041, in _create
    self.do_handshake()
  File "/Users/howardchung/miniforge3/envs/XDG/lib/python3.12/ssl.py", line 1319, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure (_ssl.c:1000)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Users/howardchung/xxxx/testdb_sync.py", line 170, in <module>
    conn = oracledb.connect(params=param)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/howardchung/miniforge3/envs/XDG/lib/python3.12/site-packages/oracledb/connection.py", line 1264, in connect
    return conn_class(dsn=dsn, pool=pool, params=params, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/howardchung/miniforge3/envs/XDG/lib/python3.12/site-packages/oracledb/connection.py", line 649, in __init__
    impl.connect(params_impl)
  File "src/oracledb/impl/thin/connection.pyx", line 462, in oracledb.thin_impl.ThinConnImpl.connect
  File "src/oracledb/impl/thin/connection.pyx", line 458, in oracledb.thin_impl.ThinConnImpl.connect
  File "src/oracledb/impl/thin/connection.pyx", line 419, in oracledb.thin_impl.ThinConnImpl._connect_with_params
  File "src/oracledb/impl/thin/connection.pyx", line 400, in oracledb.thin_impl.ThinConnImpl._connect_with_description
  File "src/oracledb/impl/thin/connection.pyx", line 362, in oracledb.thin_impl.ThinConnImpl._connect_with_address
  File "/Users/howardchung/miniforge3/envs/XDG/lib/python3.12/site-packages/oracledb/errors.py", line 195, in _raise_err
    raise error.exc_type(error) from cause
oracledb.exceptions.OperationalError: DPY-6005: cannot connect to database (CONNECTION_ID=1oFnCdVNqjIEXrJ+cwRphQ==).
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure (_ssl.c:1000)

Try TCP connection

work if I port-forward 1521 and use TCP connection

import oracledb

param = oracledb.ConnectParams(
    user="system",
    password="xxx",
    host="adb19cfree-oracle-db-0",
    port=1521,
    service_name="ORCLCDB",
)
conn = oracledb.connect(params=param)
print("✓ connected – DB version:", conn.version)

✓ connected – DB version: 19.3.0.0.0

OpenSSL Test

I tested the TLS connection with OpenSSL, and it appears to verify and connect successfully:

openssl s_client -connect adb19cfree-oracle-db-0:2484 -CAfile ~/ewallet.pem

Connecting to 127.0.0.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=adb19cfree-oracle-db-0
verify return:1
---
Certificate chain
 0 s:CN=adb19cfree-oracle-db-0
   i:CN=adb19cfree-oracle-db-0
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  5 06:21:06 2025 GMT; NotAfter: Apr 30 06:21:06 2045 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
subject=CN=adb19cfree-oracle-db-0
issuer=CN=adb19cfree-oracle-db-0
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1212 bytes and written 428 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A3B1232FA9224E7051D533572F326D9F037450A852D48E1FC0FE337F715F1567
    Session-ID-ctx: 
    Master-Key: 1B00EDAAB543735DBA729CBF674905374828A6068664B2C3A8C2A2505A4E2722744576A291129D3B9B2F4B060363990B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1746498473
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Packet Capture

I used Wireshark to troubleshoot the issue and saw that the TLS handshake fails during the Client Key Exchange phase. I’m not sure what this implies—do I need to specify a particular cipher suite?

Question

• Did I miss any mandatory parameter in listener.ora / sqlnet.ora for one‑way TLS?
• Is there any extra params need to use when connecting by oracledb?
• For a trust‑only wallet, is converting ewallet.p12 → ewallet.pem the right approach for oracledb?

Thanks for the reply in advance

[cjbj]

• The use of '~' in the wallet_location path looks suspicious. (I know config_dir doesn't like it on macOS; I wonder if wallet_location should also throw an error.
• Try removing all optional parameters and then add them back one at a time. for example, remove SSL_VERSION=1.2 - just let the db client and server work out the strongest protocol and cipher