We are pleased to announce that Oracle Database 23ai supports Transport Layer Security (TLS) 1.3 for securing network communication.
TLS 1.3, a major update to the TLS protocol, provides significant security and performance improvements compared to the TLS 1.2 protocol. TLS 1.3 supports perfect forward secrecy by using the Diffie-Hellman Ephemeral (DHE) algorithm for key exchange so that even if the server’s private key is compromised, the attacker cannot decrypt messages sent earlier. Further, compared to the long list of cipher suites supported by TLS 1.2, TLS 1.3 removes outdated cipher suites and includes only those cipher suites that support strong cryptographic algorithms without any known vulnerabilities. With fewer roundtrips during the TLS handshake, TLS 1.3 offers improved performance compared to TLS 1.2.
Oracle Database 23ai clients, including SQL*Plus, JDBC, and ODP.NET, support TLS 1.3 for connecting to Oracle databases.
While support for TLS version 1.2 is retained for backwards compatibility in Oracle Database 23ai, TLS versions 1.0 and 1.1 are both desupported in Oracle Database 23ai due to the known security weaknesses in those protocols.
Adopting TLS 1.3 in Oracle Database 23ai
As TLS 1.3 is the default for Oracle Database 23ai, no further configuration steps are needed on the Oracle Database 23ai client or the server. By default, the Oracle Database 23ai client and server use the strongest mutually supported cipher suite in TLS 1.3, but if needed, you may control the cipher suites with the SSL_CIPHER_SUITES parameter in the sqlnet.ora file.
If you need to only use TLS 1.2, you can configure the client or database to use the older TLS 1.2 using the SSL_VERSION parameter in the respective sqlnet.ora files.
If you are upgrading a database where SSL_VERSION or SSL_CIPHER_SUITES are already configured, you should either remove them to get the default behavior or update those parameters to add the new TLS 1.3 version and cipher suites such as
-
SSL_VERSION = (TLSv1.3, TLSv1.2)
-
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Note that the new Oracle 23ai client is backwards compatible with Oracle Database 19c and will connect using TLS 1.2.
Oracle Database client and server negotiate the highest version of TLS enabled by both parties, which can be specified in SSL_VERSION. When SSL_VERSION is not specified either on client or server, 23ai client or server enable TLS 1.2 and TLS 1.3 by default, while 19c client or server enable TLS 1.2 by default. Please refer to the below table for protocol negotiation matrix when SSL_VERSION is not specified.
Please refer to the below table for protocol negotiation matrix when SSL_VERSION is not specified.
|
|
Database 23ai |
Database 21c or 19c |
| 23ai client |
TLS 1.3 |
TLS 1.2 |
| 19c, 21c client |
TLS 1.2 |
TLS 1.2 |
| 12.2 or prior client |
TLS 1.2 if client supports |
TLS 1.2 if client supports |
Public key certificates for TLS 1.3
TLS 1.3 supports both RSA and ECDSA certificates for authentication. We strongly recommend RSA certificates with a minimum 2048-bit key length, or ECDSA certificates with a minimum 256-bit key length.
Note that if you still have 512-bit RSA certificates, they are not supported with TLS 1.3.
Working with other database features
Enabling TLS 1.3 only updates the network encryption protocols for database connections and has no impact on the SQL. TLS 1.3 also works with Real Application Cluster and Active Data Guard. Outbound connections to third party servers, such as LDAP, Active Directory, etc. will use TLS 1.3 when the third-party server enables TLS 1.3.
Summary
TLS 1.3 is a significant update with modern and secure cryptographic algorithms that addresses security concerns and vulnerabilities in previous versions of TLS. NIST SP 800-52r2 on “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations” states that US Federal Agencies shall support TLS 1.3 by January 1, 2024.
We expect the migration to TLS 1.3 to be automatic and transparent for most Oracle database customers.
For further information on TLS 1.3 in Oracle Database, please refer to the below documentation.
https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/configuring-transport-layer-security-encryption.html