Here is something I am curious about:
First, the text in the message box is black on a very dark gray (almost black) background. Now, I use the Carbon color scheme which gives me a comfortable dark mode, but there are places like this message box where we get an extremely low contrast situation. Is there some way to fix this somewhere in settings?
Second, the illegible message says "Encryption is guaranteed by SQLNET.ENCRYPTION_CLIENT=REQUIRED in SQLNet.ora." The selected connection, however, has a Security of "SSL" as shown. It is a TLS 1.2 over TCPS connection, so the sqlnet.ora parameter that the message in the box references has nothing to do with the encryption of this connection. That message box appears by clicking the little lock icon at the very bottom-left of the Connections dialog. Is that just supposed to report a general or default state as opposed to the state of the selected connection?
I have also wondered before why Security is blank for connections encrypted by ANO. Maybe it is because a TCP connection depends on the relevant ANO settings in sqlnet.ora that could change to a security of none if the parameters were changed. This is unlike SSL(TLS) in which encryption, at least, is guaranteed by specifying the TCPS protocol even if authentication is not enabled (SSL_CLIENT_AUTHENTICATION=FALSE). Encryption is "built-in" to the TCPS protocol, but shouldn't that fact make that illegible message box say that instead of referencing the ANO parameter that does not even apply to TCPS?
Cheers,
Russ
Hi Russ. The dark text on dark background is a bug. There is nothing you can do about it in settings, but I will make a change to that dialog so the text isn't like that. I happens when both a hyperlink and regular text are present.
Is that just supposed to report a general or default state as opposed to the state of the selected connection?
Yes. Do you have SQLNET.ENCRYPTION_CLIENT set to REQUIRED in your sqlnet.ora?
I have also wondered before why Security is blank for connections encrypted by ANO.
I guess I missed that. I'll research it and update the lock icon/message display. Whatever additional info you can provide here would be helpful.
Thanks.
We do use SQLNET.ENCRYPTION_CLIENT=REQUIRED, but of course that only affects TCP connections. TCPS requires SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE, so ANO configuration is immaterial for that.
The security check has multiple things it could look at. It would be nice if it could correlate with the selected connection entry. I suspect it is just inspecting the ANO config in sqlnet.ora and reporting whether encryption will, may, or won't occur for ANO. Given specific conditions, this would sometimes return incorrect or misleading information.
Cheers,
Russ
Thanks Russ.
The check looks at SQLNET.ora for SQLNET_ENCRYPTION_CLIENT. It also looks at the selected connection to see if it is configured for TCPS (either in tnsnames, ldap, or manual config on the "direct" tab), or if SSH is configured. Any of those will trigger the lock icon.
It does not look for SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS, or anything else related to ANO. I need to add that.
-John
Frankly, I don't think it needs to look at that ignore ANO parameter. That just prevents the Oracle error (ORA-12696) when ANO and TLS are likely to conflict. That is not really a security setting.
Cheers,
Russ
Thanks for the clarification.
In the next beta, the "Security" column in the login window grid will show:
"SSH", if configured within Toad,
"TCPS", if TCPS is used for that connection,
"Native", if SQLNET.ENCRYPTION_CLIENT is set to REQUIRED
Nothing, if none of the above.
Checking in that order. The lock icon will follow the same rules.
Edited: Toad will display TCPS, not SSL for TCPS connections
Wonderful. That will be very helpful. Thank you so much. I will see if my company will let me do a beta--they usually don't.
Cheers,
Russ
1 Like
Thanks for the suggestion. Let me know if you have others. 
1 Like
Of course, if Native Network Encryption is "REQUIRED" by the client, and SSH is used, there will be a double-encryption situation, but there is nothing that can be done about that in Toad. It just is.
Also, if NNE is not "REQUIRED" on the client side but "ACCEPTED" or "REQUESTED" by the client and enabled by server settings, then Toad won't know about it.
Cheers,
Russ
That is my understanding also. Toad will only show "Native" if SQLNET.ENCRYPTION_CLIENT is set to REQUIRED.
I was thinking about also adding a check to v$session_connect_info after the connection is made and displaying an icon somewhere to indicate that the connection is indeed encrypted (and also to cover the accepted/requested situations), but I haven't done that yet, and of course, that wouldn't show up in the login window because it could only apply to active connections.
But, where would you put that icon? In the window title bar or maybe change the icon on the connection button to show a secure connection?
Cheers,
Russ
Yeah, I haven't figured that part out yet. I'm thinking a different icon here to indicate that the connection is secure. Open to suggestions.
I think that is the most logical place.
