AWS AmazonRDS high security documentation change
Summary
Added certificate compatibility documentation and new cipher suites for SSL configuration
Security assessment
The changes directly address secure configuration of SSL/TLS by specifying cipher suite compatibility with certificate types. This helps prevent misconfigurations that could lead to weak encryption or connection failures, which are security-critical aspects.
Diff
diff --git a/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md b/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md index 71effde32..72ec4705b 100644 --- a//AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md +++ b//AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md @@ -5 +5 @@ -TLS versionsCipher suites for SSLFIPS support for SSL +TLS versionsCipher suites for SSLFIPS support for SSLCertificate compatibility @@ -31,0 +32,2 @@ SSL/TLS and NNE are no longer part of Oracle Advanced Security. In RDS for Oracl + * Certificate compatibility with cipher suites + @@ -78,0 +81,2 @@ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 1.2 | Yes | Yes +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 1.2 | Yes | Yes +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 1.2 | Yes | Yes @@ -85,0 +90,15 @@ Clients must use the cipher suite that is FIPS-compliant. When establishing a co +## Certificate compatibility with cipher suites + +RDS for Oracle supports both RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. When you configure SSL for your DB instance, you must ensure that the cipher suites you specify in the `SQLNET.CIPHER_SUITE` option setting are compatible with the certificate type used by your DB instance. + +The following table shows the compatibility between certificate types and cipher suites: + +Certificate type | Compatible cipher suites | Incompatible cipher suites +---|---|--- +RSA certificates (rds-ca-2019, rds-ca-rsa2048-g1, rds-ca-rsa4096-g1) | SSL_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 +ECDSA certificates (rds-ca-ecc384-g1) | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | SSL_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + +When you specify multiple cipher suites in the `SQLNET.CIPHER_SUITE` option setting, make sure to include at least one cipher suite that is compatible with the certificate type used by your DB instance. If you're using an option group with multiple DB instances that have different certificate types, include at least one cipher suite for each certificate type. + +If you attempt to associate an option group with an SSL option that contains only cipher suites incompatible with the certificate type of a DB instance, the operation will fail with an error message indicating the incompatibility. +