Support Native Network Encryption in thin mode

oracle / python-oracledb

Python driver for Oracle Database conforming to the Python DB API 2.0 specification. This is the renamed, new major release of cx_Oracle

https://oracle.github.io/python-oracledb

Other

328 stars 66 forks source link

Support Native Network Encryption in thin mode #94

Closed srtucker closed 1 year ago

srtucker commented 1 year ago

Describe your new request in detail All of our Oracle databases require connections to use Oracle Database Native Network Encryption, which is currently only supported in thick mode. It would be wonderful if python-oracledb added support for NNE in thin mode so we could remove the need for the Oracle client.
Give supporting information about tools and operating systems. Give relevant product version numbers I am primarily looking to utilize this in python3.9 AWS Lambdas (they run Amazon Linux 2) that connect to Oracle 19c (both on-prem and AWS RDS). Currently we have a lambda layer that provides the oracle instant client that we add to each lambda but that is what I would like to eliminate.

Thank you!

anthony-tuininga commented 1 year ago

I have a proof of concept implementation internally that needs a bit more review and testing. I'll ask internally regarding priority of completing this enhancement.

As an aside, my proof of concept has demonstrated that native network encryption (NNE) imposes a significant overhead on the network traffic. I see it taking up to 3 times longer to perform the same work with NNE as without. I'm not sure if there are other solutions that would satisfy your requirements, though!

jnahmias commented 1 year ago

Hi @anthony-tuininga - I am interested in having NNE available in thin-mode as well. We have regulatory requirements for encryption in transit that we are currently solving using NNE with cx_Oracle (ie. thick-mode). I'm looking to upgrade to python-oracledb to drop the need for the oracle client libraries, but need to have NNE for compliance. Are you able to share your POC implementation as a branch/patch that I can test?

cjbj commented 1 year ago

The current plan is to focus on TLS. This is out of our hands.

cjbj commented 1 year ago

Spoke to the powers-that-be again. We won't be supporting NNE in Thin mode. The solutions are to use TLS or Thick mode. Sorry!

markfinn commented 2 months ago

If the official path from Oracle is that TLS is the future and NNE isn't, is there some recommendation or best practice in the Oracle docs that I could send to my DBA team to try to get them to start transitioning?

cjbj commented 2 months ago

Let me ask the security team again where their doc rewrite is up to.