8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » 23 » Here

TLS and Wallet Enhancements in Oracle Database 23ai

Oracle 23ai includes several enhancements to Transport Layer Security (TLS) and wallets, simplifying configuration, and making the database more secure.

Related articles.

Transport Layer Security (TLS) 1.3 Support

Oracle 23ai support TLS 1.3. The documentation contains some notes about configuration, but chances are you won't need to do anything to take advantage of it, assuming the downstream sites support it.

TLS Connections Without Wallets

From Oracle 23ai onward it is possible to use the root certificates in the operating system certificate store to validate database callouts, rather than using a client wallet. This is demonstrated in the following article.

Improved Local Auto-Login Wallets

Local auto-login wallets are now more tightly bound their their host, whether it is physical or virtual, making them more secure than those created in previous versions of the database.

TLS Certificate DN Match

From 23ai onward DN matching has tightened up to include checking listener and server certificates. The SSL_ALLOW_WEAK_DN_MATCH parameter defaults to FALSE, but setting it to TRUE in the "sqlnet.ora" file reduces the DN matching security to the level of previous releases.

Despite being new, the SSL_ALLOW_WEAK_DN_MATCH parameter is already deprecated, so it should only be used as a stop-gap if the tightened security causes a problem.

Prevent Use of Deprecated Cipher Suites

From Oracle 23ai onward we can prevent the use of deprecated ciphers by setting the SSL_ENABLE_WEAK_CIPHERS parameter in the "sqlnet.ora" file. This parameter defaults to TRUE, so we must explicitly set it to FALSE to prevent the use of weak ciphers.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.