AWS AmazonRDS documentation change
Summary
Updated Oracle version support from 21c/19c to 26ai/21c/19c, added TLS 1.2-only enforcement and new cipher suites for Oracle 26ai, restructured SSL version settings into a table with version-specific details, and updated cipher suite table with Oracle version compatibility.
Security assessment
The changes document security improvements for Oracle 26ai (TLS 1.2 enforcement and modern cipher suites) but don't reference any specific vulnerability fix. Updates clarify security configurations without evidence of addressing a disclosed security incident.
Diff
diff --git a/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md b/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md index c0127fc62..9e1928d16 100644 --- a//AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md +++ b//AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.md @@ -19 +19 @@ SSL/TLS and NNE are no longer part of Oracle Advanced Security. In RDS for Oracl - * Oracle Database 21c (21.0.0) + * Oracle Database 26ai (26.0.0.0) @@ -21 +21,18 @@ SSL/TLS and NNE are no longer part of Oracle Advanced Security. In RDS for Oracl - * Oracle Database 19c (19.0.0) + * Oracle Database 21c (21.0.0.0) + + * Oracle Database 19c (19.0.0.0) + + + + +###### Note + +For Oracle Database 26ai, the Oracle SSL option supports only TLS 1.2, and the default cipher suite is `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`. Oracle Database 26ai supports the following cipher suites: + + * `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` (default) + + * `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384` + + * `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` + + * `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384` @@ -53,9 +70 @@ SSL/TLS and NNE are no longer part of Oracle Advanced Security. In RDS for Oracl -Amazon RDS for Oracle supports Transport Layer Security (TLS) versions 1.0 and 1.2. When you add a new Oracle SSL option, set `SQLNET.SSL_VERSION` explicitly to a valid value. The following values are allowed for this option setting: - - * `"1.0"` – Clients can connect to the DB instance using TLS version 1.0 only. For existing Oracle SSL options, `SQLNET.SSL_VERSION` is set to `"1.0"` automatically. You can change the setting if necessary. - - * `"1.2"` – Clients can connect to the DB instance using TLS 1.2 only. - - * `"1.2 or 1.0"` – Clients can connect to the DB instance using either TLS 1.2 or 1.0. - - +Amazon RDS for Oracle supports Transport Layer Security (TLS) versions 1.0 and 1.2. When you add a new Oracle SSL option, set `SQLNET.SSL_VERSION` explicitly to a valid value. The following table shows the allowed values for this option setting: @@ -62,0 +72,5 @@ Amazon RDS for Oracle supports Transport Layer Security (TLS) versions 1.0 and 1 +Value | Supported Oracle versions | Description +---|---|--- +`"1.0"` | 19c, 21c | Clients can connect to the DB instance using TLS version 1.0 only. For existing Oracle SSL options, `SQLNET.SSL_VERSION` is set to `"1.0"` automatically. You can change the setting if necessary. +`"1.2"` | All | Clients can connect to the DB instance using TLS 1.2 only. +`"1.2 or 1.0"` | 19c, 21c | Clients can connect to the DB instance using either TLS 1.2 or 1.0. @@ -66 +80 @@ Amazon RDS for Oracle supports Transport Layer Security (TLS) versions 1.0 and 1 -Amazon RDS for Oracle supports multiple SSL cipher suites. By default, the Oracle SSL option is configured to use the `SSL_RSA_WITH_AES_256_CBC_SHA` cipher suite. To specify a different cipher suite to use over SSL connections, use the `SQLNET.CIPHER_SUITE` option setting. +Amazon RDS for Oracle supports multiple SSL cipher suites. By default, the Oracle SSL option is configured to use the `SSL_RSA_WITH_AES_256_CBC_SHA` cipher suite for Oracle Database 19c and Oracle Database 21c. For Oracle Database 26ai, the default cipher suite is `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`. To specify a different cipher suite to use over SSL connections, use the `SQLNET.CIPHER_SUITE` option setting. @@ -70,15 +84,15 @@ You can specify multiple values for `SQLNET.CIPHER_SUITE`. This technique is use -The following table summarizes SSL support for RDS for Oracle in all editions of Oracle Database 19c and 21c. - -Cipher suite (SQLNET.CIPHER_SUITE) | TLS version support (SQLNET.SSL_VERSION) | FIPS support | FedRAMP compliant ----|---|---|--- -SSL_RSA_WITH_AES_256_CBC_SHA (default) | 1.0 and 1.2 | Yes | No -SSL_RSA_WITH_AES_256_CBC_SHA256 | 1.2 | Yes | No -SSL_RSA_WITH_AES_256_GCM_SHA384 | 1.2 | Yes | No -TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 1.2 | Yes | Yes -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 1.2 | Yes | Yes -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 1.2 | Yes | Yes -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 1.2 | Yes | Yes -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 1.2 | Yes | Yes -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 1.2 | Yes | Yes -TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 1.2 | Yes | Yes -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 1.2 | Yes | Yes +The following table summarizes SSL support for RDS for Oracle in all editions of Oracle Database 19c, 21c, and 26ai. + +Cipher suite (SQLNET.CIPHER_SUITE) | TLS version support (SQLNET.SSL_VERSION) | FIPS support | FedRAMP compliant | Supported Oracle versions +---|---|---|---|--- +SSL_RSA_WITH_AES_256_CBC_SHA (default for 19c and 21c) | 1.0 and 1.2 | Yes | No | 19c, 21c +SSL_RSA_WITH_AES_256_CBC_SHA256 | 1.2 | Yes | No | 19c, 21c +SSL_RSA_WITH_AES_256_GCM_SHA384 | 1.2 | Yes | No | 19c, 21c +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (default for 26ai) | 1.2 | Yes | Yes | 19c, 21c, 26ai +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 1.2 | Yes | Yes | 19c, 21c +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 1.2 | Yes | Yes | 19c, 21c, 26ai +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 1.2 | Yes | Yes | 19c, 21c +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 1.2 | Yes | Yes | 19c, 21c +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 1.2 | Yes | Yes | 19c, 21c +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 1.2 | Yes | Yes | 19c, 21c, 26ai +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 1.2 | Yes | Yes | 19c, 21c, 26ai