I have two databases with Oracle Wallet connecting over a database link and I'm trying to force only SSL/TLS 1.2. I am following the details from Doc ID 1938502.1 (disable SSLv3 for Poodle) which simply say set SSL_VERSION to whatever version you want (and includes 1.2 as an example). However, when I look on https://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF235 the only values listed are "undetermined | 2.0 | 3.0". How can I allow only TLS 1.2 on 12.1.0.2?
There is a documentation bug already opened for this, so the docs should be updated soon.
Applies To
All Users
Summary
This document provides the steps needed to disable use of SSLv3 for Oracle database clients and servers to address the POODLE vulnerability in SSL as described by CVE-2014-3566.
Please refer to the following document:
SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566 http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
This document is intended for all levels of expertise.
Solution
Oracle database clients and services can be configured to disallow use of SSLv3 via the SSL_VERSION parameter in sqlnet.ora and listener.ora. To do so, update any sqlnet.ora and listener.ora configuration files used by database clients or servers that enable SSL to include an SSL_VERSION parameter that excludes the value "3.0". For example, the setting below will enforce the use of TLS 1.0 and disallow any other SSL versions including SSLv3:
SSL_VERSION=1.0
References:
Oracle Database Advanced Security Administrator's Guide (10g Release 2)
Oracle Database Security Guide (12c Release 1)
See the following link: http://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF235
Compatibility Reference:
11.1.0.7 SSLv3, Upgradeable to TLSv1.0 with <BUG 6973000> UTL_HTTP DOES NOT SUPPORT TRANSPORT LAYER SECURITY VERSION 1
11.2.0.4 TLSv1.0, SSLv3, SSLv2
12c TLSv1.1, TLSv1.2
SSL_VERSION
Purpose
To force the version of the SSL connection.
Usage Notes
Clients and database servers must use a compatible version.
Default
undetermined
Values
undetermined | 2.0 | 3.0Example
SSL_VERSION=2.0