There is a request on Oracle's feedback site (behind a login wall) to add support for encryption to the pure .NET driver:
https://apex.oracle.com/pls/apex/f?p=18357:39:115851408950026
- Title: Support for Oracle Advanced Security Option (ASO) encryption using the managed driver
- Description: We (here at the university of Oslo) cannot use the new managed driver because we generally run Oracle on Linux (usually virtual machines) with encrypted communication , which seems to be unsupported by the current fully managed driver. (It works well with the unmanaged driver). In this day and age, encryption tend to be an attractive option, so please add support for this in the new managed driver. :)
- Comment: Available in ODAC 12c Release 4 or later
- Status: Feature Available in Production
When the sever is configured to require encryption, .NET clients using Oracle's pure managed driver will be unable to connect with an enigmatic:
ORA-12570: Network Session: Unexpected packet read error
Somewhere deep in the guts of the Oracle network driver, there’s a function ReadwithCrypto
that fails with a ORA-12537: Network Session: End of file error
The stack trace:
[NetworkException (0x30f9): ORA-12537: Network Session: End of file]
OracleInternal.Network.ReaderStream.ReadIt(OraBuf OB, Int32 len) +359
OracleInternal.Network.ReaderStream.ReadwithCrypto(OraBuf OB) +135
[NetworkException (0x80004005): ORA-12570: Network Session: Unexpected packet read error]
OracleInternal.Network.ReaderStream.ReadwithCrypto(OraBuf OB) +440
OracleInternal.Network.ReaderStream.Read(OraBuf OB) +124
OracleInternal.TTC.OraBufReader.GetDataFromNetwork() +378
OracleInternal.TTC.OraBufReader.Read(Boolean bIgnoreData) +122
OracleInternal.TTC.MarshallingEngine.UnmarshalUB1(Boolean bIgnoreData) +43
OracleInternal.TTC.TTCProtocolNegotiation.ReadResponse() +197
[OracleException (0x80004005): ORA-12570: Network Session: Unexpected packet read error]
OracleInternal.ConnectionPool.PoolManager`3.Get(ConnectionString csWithDiffOrNewPwd, Boolean bGetForApp, String affinityInstanceName, Boolean bForceMatch) +7442
OracleInternal.ConnectionPool.OraclePoolManager.Get(ConnectionString csWithNewPassword, Boolean bGetForApp, String affinityInstanceName, Boolean bForceMatch) +1163
OracleInternal.ConnectionPool.OracleConnectionDispenser`3.Get(ConnectionString cs, PM conPM, ConnectionString pmCS, SecureString securedPassword, SecureString securedProxyPassword) +1453
Oracle.ManagedDataAccess.Client.OracleConnection.Open() +3662
Contoso.Fabrikam.Database.GetConnection(Boolean useLiveData) in d:\Develop\Contoso\Fabrikam\App_Code\DatabaseConnectivity.cs:76
Having the server configured to optional encryption is the (horrible, horrible) workaround.