1. Release Notes
  2. Specifications and Requirements
  3. TLS Cipher Updates

TLS Cipher Updates

Note the following changes to the DEFAULT cipher list.

Oracle recommends the following ciphers, and includes them in the DEFAULT cipher list:

  1. TLS_AES_128_GCM_SHA256 (new in 9.2.0)
  2. TLS_AES_256_GCM_SHA384 (new in 9.2.0)
  3. TLS_CHACHA20_POLY1305_SHA256 (new in 9.2.0)
  4. TLS_AES_128_CCM_SHA256 (new in 9.2.0)
  5. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  6. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  7. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  8. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  9. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  10. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  11. ECDHE-ECDSA-AES256-GCM-SHA384
  12. ECDHE-ECDSA-AES128-GCM-SHA256
  13. ECDHE-RSA-AES256-GCM-SHA384
  14. ECDHE-RSA-AES128-GCM-SHA256
  15. ECDHE-RSA-AES256-SHA384
  16. ECDHE-RSA-AES128-SHA256
  17. DHE-RSA-AES256-GCM-SHA384
  18. DHE-RSA-AES256-SHA256
  19. DHE-RSA-AES128-GCM-SHA256
  20. DHE-RSA-AES128-SHA256
  21. AES256-SHA256

Oracle supports the following ciphers, but does not include them in the DEFAULT cipher list:

  1. TLS_AES_128_CCM_8_SHA256 (new in 9.2.0)
  2. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  3. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  4. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  5. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  6. TLS_RSA_WITH_AES_256_CBC_SHA256
  7. TLS_RSA_WITH_AES_256_GCM_SHA384
  8. TLS_RSA_WITH_AES_128_CBC_SHA256
  9. TLS_RSA_WITH_AES_128_CBC_SHA
  10. TLS_RSA_WITH_AES_128_GCM_SHA256
  11. TLS_RSA_WITH_3DES_EDE_CBC_SHA
Oracle supports the following ciphers for debugging purposes only:
  1. TLS_RSA_WITH_NULL_SHA256 (debug only)
  2. TLS_RSA_WITH_NULL_SHA (debug only)
  3. TLS_RSA_WITH_NULL_MD5 (debug only)
Oracle supports the following ciphers, but considers them not secure. They are not included in the DEFAULT cipher-list, but they are included when you set the cipher-list attribute to ALL. When you configure the cipher-list to ALL, the system provides a verify-config message warning you that you are using these insecure ciphers.
  1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  2. TLS_RSA_WITH_AES_256_CBC_SHA
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  4. TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

To configure TLS ciphers, use the cipher-list attribute in the tls-profile configuration element.

WARNING:

When you set tls-version to either tlsv1 or tlsv11 and you want to use ciphers that Oracle considers not secure, you must manually add them to the cipher-list attribute.