TLS connections to Oracle Database failing in Docker Desktop on macOS 26 #7846
Description
Description
This is very niche. Our organization has legacy apps in Docker containers that connect to Oracle databases over TLS. The certificates are issued by our internal CA.
This has worked on our Apple silicon developer Macs for some time but has been broken after upgrading to macOS 26.x from macOS 15.7.2. After upgrade, the connections now fail with OCIError: ORA-29024: Certificate validation failure. The apps are not in question as we can reproduce the errors with sqlplus. After the developers brought this problem to me (I'm the Mac admin), I was able to recreate the issue in a lab computer: successful connection from the container on macOS 15.7.2, upgrade to 26.2 and immediately fail the test.
I'll list more of what we've tested below, but where Docker experts might be able to shine light on this is that we have able to workaround the issue by either disabling Rosetta, or switching to Docker VMM.
Tested on:
- Every release of Docker Desktop 4.55-4.59.1
- Every build of macOS 26.2-26.3b3
- On-premises and over VPN
Other tests:
- Packet capture of the connection, extraction of the certificates, ran against
openssl verify- successful - Extracting the Oracle wallet (source of root certificates trust) from the container and testing with another system - successful
- Connecting with
openssl s_clientin and out of the container - successful - Disabling macOS 26 post quantum TLS changes
It would be worthwhile to better understand the differences between the use of Apple Virtualization and Docker VMM, and how amd64 is emulated without Rosetta.
Reproduce
While I've tried to spell out the problem in detail above, I can't really give reproducible steps as I don't have a public Oracle DB with TLS.
Expected behavior
No response
docker version
% docker version
Client:
Version: 29.2.0
API version: 1.53
Go version: go1.25.6
Git commit: 0b9d198
Built: Mon Jan 26 19:25:13 2026
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.59.1 (217750)
Engine:
Version: 29.2.0
API version: 1.53 (minimum version 1.44)
Go version: go1.25.6
Git commit: 9c62384
Built: Mon Jan 26 19:25:48 2026
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v2.2.1
GitCommit: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
% docker info
Client:
Version: 29.2.0
Context: desktop-linux
Debug Mode: false
Plugins:
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v1.17.2
Path: /Users/hessf/.docker/cli-plugins/docker-ai
buildx: Docker Buildx (Docker Inc.)
Version: v0.31.1-desktop.1
Path: /Users/hessf/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.0.2
Path: /Users/hessf/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.47
Path: /Users/hessf/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Docker Inc.)
Version: v0.2.0
Path: /Users/hessf/.docker/cli-plugins/docker-desktop
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.31
Path: /Users/hessf/.docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: /Users/hessf/.docker/cli-plugins/docker-init
mcp: Docker MCP Plugin (Docker Inc.)
Version: v0.37.0
Path: /Users/hessf/.docker/cli-plugins/docker-mcp
model: Docker Model Runner (Docker Inc.)
Version: v1.0.8
Path: /Users/hessf/.docker/cli-plugins/docker-model
offload: Docker Offload (Docker Inc.)
Version: v0.5.41
Path: /Users/hessf/.docker/cli-plugins/docker-offload
pass: Docker Pass Secrets Manager Plugin (beta) (Docker Inc.)
Version: v0.0.24
Path: /Users/hessf/.docker/cli-plugins/docker-pass
sandbox: Docker Sandbox (Docker Inc.)
Version: v0.10.1
Path: /Users/hessf/.docker/cli-plugins/docker-sandbox
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/hessf/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.19.0
Path: /Users/hessf/.docker/cli-plugins/docker-scout
Server:
Containers: 2
Running: 2
Paused: 0
Stopped: 0
Images: 2
Server Version: 29.2.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Discovered Devices:
cdi: docker.com/gpu=webgpu
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.12.67-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 8
Total Memory: 3.827GiB
Name: docker-desktop
ID: 16ab7eef-4810-45b5-b8f9-a80157097782
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/hessf/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
::1/128
Live Restore Enabled: false
Firewall Backend: iptablesDiagnostics ID
E77BC9D7-7ECB-4618-A83E-AC917C526D95/20260204004332
Additional Info
No response