Port 2484: Oracle SSL Listener — The Port Oracle Claimed Without Registering

What This Port Is

Port 2484 sits in the registered port range (1024–49151) with no official IANA service name assignment. On paper, it belongs to nobody.

In practice, it belongs to Oracle.

Oracle Database uses two ports for its Net Listener service — the component that accepts incoming client connections. Port 1521 handles standard, unencrypted connections. Port 2484 is the SSL/TLS companion: the same listener, the same database, but with encryption. Oracle has recommended this pairing in its official documentation for decades, across every major database version from 10g through 23ai. ¹

The convention is so established that Oracle's own configuration guides tell administrators to add this line to /etc/services:

tcps 2484/tcp # Oracle SSL

They just never asked IANA to make it official.

How It Works

The Oracle Net Listener is the gatekeeper for Oracle database connections. Clients don't connect directly to the database process — they connect to the listener, which authenticates the request and hands it off to the appropriate database service.

When SSL is enabled, the listener binds to port 2484 using the TCPS protocol (TCP over SSL) instead of plain TCP. Client connection strings reflect this:

(DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcps)(HOST=dbserver)(PORT=2484))
  (CONNECT_DATA=(SERVICE_NAME=mydb))
)

The SSL handshake happens before any Oracle-level authentication. Your password never travels in plaintext. ²

The Registered Port Range

Ports 1024–49151 are "registered" or "user" ports, defined by RFC 6335. ³ Unlike well-known ports (0–1023), registered ports don't require elevated privileges to open. Unlike dynamic/ephemeral ports (49152–65535), they're intended for consistent, named services.

The system works when vendors register their ports with IANA. Oracle didn't here — they established a convention through documentation and product defaults instead. It held. Most of the industry knows that 2484 means Oracle SSL the same way they know 1521 means Oracle. The difference is that 1521 is registered; 2484 isn't.

This happens more than you'd think. The registered port range has gaps. Some of those gaps are genuinely unused. Some are quietly occupied by software that never filed the paperwork.

Security Considerations

An open port 2484 almost certainly means an Oracle database is listening for SSL connections. That's worth knowing for a few reasons:

What it protects: Traffic between client and database is encrypted. Credentials aren't exposed on the wire.

What it doesn't protect: SSL encryption doesn't mean authentication is configured correctly. Oracle SSL can be configured to require client certificates (mutual TLS) or just server certificates. Many deployments use the latter, which means the server authenticates itself but doesn't verify the client's identity.

Firewall posture: Port 2484 should not be open to the public Internet. Database listeners should be accessible only from application servers that need them. Unrestricted inbound access to this port is a direct exposure of your Oracle instance. ⁴

How to Check What's Listening

If you see port 2484 in use and want to confirm what's there:

# Linux/macOS — show the process holding the port
ss -tlnp | grep 2484
# or
lsof -i :2484

# Windows
netstat -ano | findstr :2484

If it's Oracle, you'll see a process like tnslsnr (the listener binary). You can query the listener directly:

lsnrctl status

This will show which ports the listener is bound to, which services it's advertising, and whether SSL is configured.

Related Ports

• 1521 — Oracle Net Listener, standard (unencrypted) connections. The partner port to 2484.
• 2483 — Oracle Net Listener on plain TCP, an alternative to 1521 sometimes used in multi-listener configurations.