CipherSuites
The CipherSuites server connection attribute contains one or more cipher suites used to configure Transport Layer Security (TLS) client/server encryption.
Note:
TLS is an incremental version of Secure Sockets Layer (SSL) version 3.0. Although SSL was primarily developed by Netscape Communications Corporation, the Internet Engineering Task Force (IETF) took over development of it, and renamed it Transport Layer Security (TLS). TLS is an IETF standard.
TimesTen and the TimesTen documentation primarily use the terms Transport Layer Security and TLS instead of Secure Sockets Layer and SSL. However, there are cases where the earlier terms Secure Sockets Layer and SSL are still used. The names of the cipher suites use both TLS and SSL terminology. The SSL-named cipher suites work with and apply to Transport Layer Security.
A cipher suite contains an authentication/digital signature algorithm, such as ECDSA or RSA. Similarly, the certificates that are stored in Oracle Wallets and that are required for TLS client/server encryption are signed with either ECC or RSA key algorithms. The cipher suite authentication algorithm must match the ECC or RSA key algorithm. For example, if the certificates are signed with an RSA key algorithm, only cipher suites that use RSA for authentication can be used. Similarly, if the certificates are signed with an ECC key algorithm, only cipher suites that use ECDSA (like ECDHE-ECDSA) for authentication can be used.
It is important that you know the key (RSA or ECC) that was used to sign the certificates. For information about RSA and ECC keys and algorithms, see Configuration for TLS for Client/Server in Oracle TimesTen In-Memory Database Security Guide.
server1.cert. Navigate to the location of the certificate, and issue the following openssl command:openssl x509 -in server1.cert -text -noout-
For RSA:
Public Key Algorithm: rsaEncryption -
For ECC:
Public Key Algorithm: id-ecPublicKey
TimesTen 22.1 supports cipher suites that include both RSA and ECC authentication/digital signature algorithms. If you are using RSA keys, ensure to include one or more cipher suites with an RSA authentication/digital signature algorithm. Similarly, if you are using ECC keys, ensure to include one or more cipher suites with an ECDSA (Elliptic Curve Digital Signature Algorithm) authentication/digital signature algorithm.
TimesTen does not have a default cipher suite setting. You must specify the client-specific CipherSuites connection attribute in your client configuration and the server-specific CipherSuites connection attribute in your server configuration. (The exception is if you specified the cipher suite setting at the instance level. In this case, the setting is in the timesten.conf file.)
You can specify one or more cipher suites for the TimesTen client-specific CipherSuites connection attribute and for the TimesTen server-specific CipherSuites connection attribute. If you specify more than one cipher suite for the connection attribute, ensure to separate each by a comma, and list them in order of preference. When the client negotiates with the server as to which cipher suite to use, it follows the prioritization you set. TimesTen recommends that you list the cipher suites from strongest to weakest. The server selects the first cipher suite on its own prioritized list that is also present in the client's list. Therefore, ensure that the client and the server have at least one common cipher suite. If the client and server cannot agree on a common cipher suite, the TLS connection fails.
The following table lists the supported cipher suites (including the SSL-named
cipher suites) and the authentication, encryption,
and data integrity algorithm each uses. The last
column indicates if the cipher suite is valid for
the RSA or the ECC public key algorithm. Ensure
that you choose a cipher suite that is valid for
the key (RSA or ECC) that was used to sign the
certificates. For example, if your key is ECC,
then the
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
cipher suite is valid, but the
TLS_RSA_WITH_AES_128_CBC_SHA256
cipher suite is not valid.
Transport Layer Security Cipher Suites
| Cipher Suites | Authentication | Encryption | Data Integrity | Valid for RSA or ECC |
|---|---|---|---|---|
|
or
|
ECDHE_ECDSA |
AES 128 GCM |
SHA256 |
ECC |
|
or
|
ECDHE_ECDSA |
AES 128 CBC |
SHA256 |
ECC |
|
or
|
ECDHE_ECDSA |
AES 256 CBC |
SHA384 |
ECC |
|
or
|
ECDHE_ECDSA |
AES 256 GCM |
SHA384 |
ECC |
|
or
|
RSA |
AES 128 CBC |
SHA256 |
RSA |
|
or
|
RSA |
AES 128 GCM |
SHA256 |
RSA |
|
or
|
RSA |
AES 256 CBC |
SHA256 |
RSA |
|
or
|
RSA |
AES 256 GCM |
SHA384 |
RSA |
Note:
Remember to specify theCipherSuites attribute for both
the client and the server. For the TLS connection
to be successful, the server and client setting
must include one common cipher suite. If the
server and client cannot agree on a common cipher
suite, the TLS connection fails.
See Configuration for TLS for Client/Server in Oracle TimesTen In-Memory Database Security Guide.
Required Privilege
No privilege is required to change the value of this attribute.
Usage in TimesTen Scaleout and TimesTen Classic
This attribute is supported in TimesTen Classic but not supported in TimesTen Scaleout.Setting
Set CipherSuites as follows.
| Where to set the attribute | How the attribute is represented | Setting |
|---|---|---|
|
C or Java programs or UNIX and Linux systems |
CipherSuites |
Specify one or more of the supported cipher suites, comma delimited, and in order of preference. |
|
Windows ODBC Data Source Administrator |
CipherSuites field on the Oracle TimesTen Client DSN Setup dialog. |
Specify one or more of the supported cipher suites, comma delimited, and in order of preference. |