Oracle Secure Sockets Layer - Amazon Relational Database Service
TLS versionsCipher suites for SSLFIPS support for SSL

Oracle Secure Sockets Layer

To enable SSL encryption for an RDS for Oracle DB instance, add the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port, as required by Oracle, for SSL connections. This approach allows both clear text and SSL-encrypted communication to occur at the same time between a DB instance and SQL*Plus. For example, you can use the port with clear text communication to communicate with other resources inside a VPC while using the port with SSL-encrypted communication to communicate with resources outside the VPC.

Note

You can use either SSL or Native Network Encryption (NNE) on the same RDS for Oracle DB instance, but not both. If you use SSL encryption, make sure to turn off any other connection encryption. For more information, see Oracle native network encryption.

SSL/TLS and NNE are no longer part of Oracle Advanced Security. In RDS for Oracle, you can use SSL encryption with all licensed editions of the following database versions:

  • Oracle Database 21c (21.0.0)

  • Oracle Database 19c (19.0.0)

Topics

TLS versions for the Oracle SSL option

Amazon RDS for Oracle supports Transport Layer Security (TLS) versions 1.0 and 1.2. When you add a new Oracle SSL option, set SQLNET.SSL_VERSION explicitly to a valid value. The following values are allowed for this option setting:

  • "1.0" – Clients can connect to the DB instance using TLS version 1.0 only. For existing Oracle SSL options, SQLNET.SSL_VERSION is set to "1.0" automatically. You can change the setting if necessary.

  • "1.2" – Clients can connect to the DB instance using TLS 1.2 only.

  • "1.2 or 1.0" – Clients can connect to the DB instance using either TLS 1.2 or 1.0.

Cipher suites for the Oracle SSL option

Amazon RDS for Oracle supports multiple SSL cipher suites. By default, the Oracle SSL option is configured to use the SSL_RSA_WITH_AES_256_CBC_SHA cipher suite. To specify a different cipher suite to use over SSL connections, use the SQLNET.CIPHER_SUITE option setting.

You can specify multiple values for SQLNET.CIPHER_SUITE. This technique is useful if you have database links between your DB instances and decide to update your cipher suites.

The following table summarizes SSL support for RDS for Oracle in all editions of Oracle Database 19c and 21c.

Cipher suite (SQLNET.CIPHER_SUITE) TLS version support (SQLNET.SSL_VERSION) FIPS support FedRAMP compliant
SSL_RSA_WITH_AES_256_CBC_SHA (default) 1.0 and 1.2 Yes No
SSL_RSA_WITH_AES_256_CBC_SHA256 1.2 Yes No
SSL_RSA_WITH_AES_256_GCM_SHA384 1.2 Yes No
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1.2 Yes Yes
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1.2 Yes Yes
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1.2 Yes Yes
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1.2 Yes Yes
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1.2 Yes Yes
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 1.2 Yes Yes

FIPS support

RDS for Oracle allows you to use the Federal Information Processing Standard (FIPS) standard for 140-2. FIPS 140-2 is a United States government standard that defines cryptographic module security requirements. You turn on the FIPS standard by setting FIPS.SSLFIPS_140 to TRUE for the Oracle SSL option. When FIPS 140-2 is configured for SSL, the cryptographic libraries encrypt data between the client and the RDS for Oracle DB instance.

Clients must use the cipher suite that is FIPS-compliant. When establishing a connection, the client and RDS for Oracle DB instance negotiate which cipher suite to use when transmitting messages back and forth. The table in Cipher suites for the Oracle SSL option shows the FIPS-compliant SSL cipher suites for each TLS version. For more information, see Oracle database FIPS 140-2 settings in the Oracle Database documentation.