8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
TLS and Wallet Enhancements in Oracle Database 23c
Oracle 23c includes several enhancements to Transport Layer Security (TLS) and wallets, simplifying configuration, and making the database more secure.
- Transport Layer Security (TLS) 1.3 Support
- TLS Connections Without Wallets
- Improved Local Auto-Login Wallets
- TLS Certificate DN Match
- Prevent Use of Deprecated Cipher Suites
Related articles.
Transport Layer Security (TLS) 1.3 Support
Oracle 23c support TLS 1.3. The documentation contains some notes about configuration, but chances are you won't need to do anything to take advantage of it, assuming the downstream sites support it.
TLS Connections Without Wallets
From Oracle 23c onward it is possible to use the root certificates in the operating system certificate store to validate database callouts, rather than using a client wallet. This is demonstrated in the following article.
Improved Local Auto-Login Wallets
Local auto-login wallets are now more tightly bound their their host, whether it is physical or virtual, making them more secure than those created in previous versions of the database.
TLS Certificate DN Match
From 23c onward DN matching has tightened up to include checking listener and server certificates. The SSL_ALLOW_WEAK_DN_MATCH
parameter defaults to FALSE, but setting it to TRUE in the "sqlnet.ora" file reduces the DN matching security to the level of previous releases.
Despite being new, the SSL_ALLOW_WEAK_DN_MATCH
parameter is already deprecated, so it should only be used as a stop-gap if the tightened security causes a problem.
Prevent Use of Deprecated Cipher Suites
From Oracle 23c onward we can prevent the use of deprecated ciphers by setting the SSL_ENABLE_WEAK_CIPHERS
parameter in the "sqlnet.ora" file. This parameter defaults to TRUE, so we must explicitly set it to FALSE to prevent the use of weak ciphers.
For more information see:
- Migrating to Transport Layer Security Version 1.3
- Transport Layer Security Connections without a Client Wallet
- Improved and More Secure Local Auto-Login Wallets
- New sqlnet.ora Parameter to Prevent the Use of Deprecated Ciphers
- Use of the SSL_ALLOW_WEAK_DN_MATCH Parameter to Control SSL_SERVER_DN_MATCH
- Transport Layer Security (TLS) Connections without a Client Wallet in Oracle Database 23c
Hope this helps. Regards Tim...