{"id":406,"date":"2018-12-08T19:17:23","date_gmt":"2018-12-08T19:17:23","guid":{"rendered":"https:\/\/www.spotonoracle.com\/?p=406"},"modified":"2018-11-11T15:49:30","modified_gmt":"2018-11-11T15:49:30","slug":"does-the-listener-cache-tls-certificates","status":"publish","type":"post","link":"https:\/\/www.spotonoracle.com\/?p=406","title":{"rendered":"Does the listener cache TLS certificates?"},"content":{"rendered":"

A while ago a fellow DBA asked me if the listener cached TLS certificates. My immediate answer was “Sure, not caching would hurt performance severely.”
\nBut, I couldn’t be certain so I ran a trace on it.<\/p>\n

As the listener.log shows I did connect three times using TLS enabled endpoint:<\/p>\n

\r\n...\r\n07-SEP-2018 11:05:30 * (CONNECT_DATA=(SERVICE_NAME=DEV1.localdomain)(CID=(PROGRAM=C:\\app\\oracle\\product\\client1830\\bin\\sqlplus.exe)(HOST=WIN2012CLI1)(USER=user1))) * (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.29)(PORT=49211)) * establish * DEV1.localdomain * 0\r\n07-SEP-2018 11:05:46 * (CONNECT_DATA=(SERVICE_NAME=DEV1.localdomain)(CID=(PROGRAM=C:\\app\\oracle\\product\\client1830\\bin\\sqlplus.exe)(HOST=WIN2012CLI1)(USER=user1))) * (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.29)(PORT=49212)) * establish * DEV1.localdomain * 0\r\n07-SEP-2018 11:05:48 * (CONNECT_DATA=(SERVICE_NAME=DEV1.localdomain)(CID=(PROGRAM=C:\\app\\oracle\\product\\client1830\\bin\\sqlplus.exe)(HOST=WIN2012CLI1)(USER=user1))) * (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.29)(PORT=49213)) * establish * DEV1.localdomain * 0\r\n...\r\n<\/pre>\n
During the entire time I had a listener trace and a \u201cstrace\u201d on the “tnslsnr” process.
\nGoing through the strace output I found the open calls for both wallet files (ewallet.p12 and cwallet.sso).<\/p>\n
\r\nLine 419: open("\/u01\/app\/oracle\/etc\/wallet\/auth\/ewallet.p12", O_RDONLY) = 19\r\nLine 506: open("\/u01\/app\/oracle\/etc\/wallet\/auth\/cwallet.sso", O_RDONLY) = 20\r\n<\/pre>\n
Then the listener maps anonymous memory and reads data from cwallet.sso (file descriptor 20).<\/p>\n
\r\nLine 514: mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0520168000\r\nLine 517: read(20, "\\272\\333\\241\\211\\10\\to\\264\\306\\247\/w\\217#\0n+[\\t\\371\\v\\266\\244\\230d\\214e3\\246ZV\\22"..., 1149) = 1149\r\n...\r\nLine 531: read(20, "\\241\\370N8\0\0\0\\6\0\0\0!\\6\\303\\20]{\\207\\16_\\246\\247\\3579'\\234h\\35I\\301m="..., 4096) = 4096\r\n...\r\nLine 542: read(20, "\\272\\333\\241\\211\\10\\to\\264\\306\\247\/w\\217#\0n+[\\t\\371\\v\\266\\244\\230d\\214e3\\246ZV\\22"..., 4096) = 1149\r\n<\/pre>\n
Shortly thereafter, the listener closes the file handles and unmaps the anonymous memory.<\/p>\n
\r\nLine 551: close(19)\r\nLine 561: close(20)\r\nLine 562: munmap(0x7f0520168000, 4096)            = 0\r\n<\/pre>\n
All this happens on the first incoming TLS connection request. After that it never touches any of the wallet files again.<\/p>\n
The same can be observed in the listener.og: it opens\/reads\/closes the wallet file on the first incoming TLS connection request only.<\/p>\n
\r\nLine 4473: CONNECTION REQUEST\r\nLine 4627: snzdfo_open_file:Opening file \/u01\/app\/oracle\/etc\/wallet\/auth\/ewallet.p12 with READ ONLY permissions\r\nLine 4631: snzdfo_open_file:Opening file \/u01\/app\/oracle\/etc\/wallet\/auth\/cwallet.sso with READ ONLY permissions\r\nLine 4667: nztwOpenWallet:exit\r\n<\/pre>\n
I didn’t do any long running tests but I this proves that the listener does cache the certificate from the wallet (at least temporarily).<\/p>\n","protected":false},"excerpt":{"rendered":"
A while ago a fellow DBA asked me if the listener cached TLS certificates. My immediate answer was “Sure, not caching would hurt performance severely.” But, I couldn’t be certain so I ran a trace on it. As the listener.log shows I did connect three times using TLS enabled endpoint: … 07-SEP-2018 11:05:30 * (CONNECT_DATA=(SERVICE_NAME=DEV1.localdomain)(CID=(PROGRAM=C:\\app\\oracle\\product\\client1830\\bin\\sqlplus.exe)(HOST=WIN2012CLI1)(USER=user1))) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,3],"tags":[],"class_list":["post-406","post","type-post","status-publish","format-standard","hentry","category-general","category-internals"],"_links":{"self":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=406"}],"version-history":[{"count":6,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/406\/revisions"}],"predecessor-version":[{"id":412,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/406\/revisions\/412"}],"wp:attachment":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}