# NATIVE\$1NETWORK\$1ENCRYPTION option settings You can specify encryption requirements on both the server and the client. The DB instance can act as a client when, for example, it uses a database link to connect to another database. You might want to avoid forcing encryption on the server side. For example, you might not want to force all client communications to use encryption because the server requires it. In this case, you can force encryption on the client side using the `SQLNET.*CLIENT` options. Amazon RDS supports the following settings for the `NATIVE_NETWORK_ENCRYPTION` option. **Note** When you use commas to separate values for an option setting, don't put a space after the comma. **** | Option setting | Valid values | Default values | Description | | --- | --- | --- | --- | | `SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS` | `TRUE`, `FALSE` | `TRUE` | The behavior of the server when a client using a non-secure cipher attempts to connect to the database. If `TRUE`, clients can connect even if they aren't patched with the July 2021 PSU. If the setting is `FALSE`, clients can connect to the database only when they are patched with the July 2021 PSU. Before you set `SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS` to `FALSE`, make sure that the following conditions are met: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Options.NNE.Options.html) | | `SQLNET.ALLOW_WEAK_CRYPTO` | `TRUE`, `FALSE` | `TRUE` | The behavior of the server when a client using a non-secure cipher attempts to connect to the database. The following ciphers are considered not secure: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Options.NNE.Options.html) If the setting is `TRUE`, clients can connect when they use the preceding non-secure ciphers. If the setting is `FALSE`, the database prevents clients from connecting when they use the preceding non-secure ciphers. Before you set `SQLNET.ALLOW_WEAK_CRYPTO` to `FALSE`, make sure that the following conditions are met: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Options.NNE.Options.html) | | `SQLNET.CRYPTO_CHECKSUM_CLIENT` | `Accepted`, `Rejected`, `Requested`, `Required` | `Requested` | The data integrity behavior when a DB instance connects to the client, or a server acting as a client. When a DB instance uses a database link, it acts as a client. `Requested` indicates that the client doesn't require the DB instance to perform a checksum. | | `SQLNET.CRYPTO_CHECKSUM_SERVER` | `Accepted`, `Rejected`, `Requested`, `Required` | `Requested` | The data integrity behavior when a client, or a server acting as a client, connects to the DB instance. When a DB instance uses a database link, it acts as a client. `Requested` indicates that the DB instance doesn't require the client to perform a checksum. | | `SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT` | `SHA256`, `SHA384`, `SHA512`, `SHA1`, `MD5` | `SHA256`, `SHA384`, `SHA512` | A list of checksum algorithms. You can specify either one value or a comma-separated list of values. If you use a comma, don't insert a space after the comma; otherwise, you receive an `InvalidParameterValue` error. This parameter and `SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER `must have a common cipher. | | `SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER` | `SHA256`, `SHA384`, `SHA512`, `SHA1`, `MD5` | `SHA256`, `SHA384`, `SHA512`, `SHA1`, `MD5` | A list of checksum algorithms. You can specify either one value or a comma-separated list of values. If you use a comma, don't insert a space after the comma; otherwise, you receive an `InvalidParameterValue` error. This parameter and `SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT` must have a common cipher. | | `SQLNET.ENCRYPTION_CLIENT` | `Accepted`, `Rejected`, `Requested`, `Required` | `Requested` | The encryption behavior of the client when a client, or a server acting as a client, connects to the DB instance. When a DB instance uses a database link, it acts as a client. `Requested` indicates that the client does not require traffic from the server to be encrypted. | | `SQLNET.ENCRYPTION_SERVER` | `Accepted`, `Rejected`, `Requested`, `Required` | `Requested` | The encryption behavior of the server when a client, or a server acting as a client, connects to the DB instance. When a DB instance uses a database link, it acts as a client. `Requested` indicates that the DB instance does not require traffic from the client to be encrypted. | | `SQLNET.ENCRYPTION_TYPES_CLIENT` | `RC4_256`, `AES256`, `AES192`, `3DES168`, `RC4_128`, `AES128`, `3DES112`, `RC4_56`, `DES`, `RC4_40`, `DES40` | `RC4_256`, `AES256`, `AES192`, `3DES168`, `RC4_128`, `AES128`, `3DES112`, `RC4_56`, `DES`, `RC4_40`, `DES40` | A list of encryption algorithms used by the client. The client attempts to decrypt the server input by trying each algorithm in order, proceeding until an algorithm succeeds or the end of the list is reached. Amazon RDS uses the following default list from Oracle. RDS starts with `RC4_256` and proceeds down the list in order. You can change the order or limit the algorithms that the DB instance will accept. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Options.NNE.Options.html) You can specify either one value or a comma-separated list of values. If you a comma, don't insert a space after the comma; otherwise, you receive an `InvalidParameterValue` error. This parameter and `SQLNET.SQLNET.ENCRYPTION_TYPES_SERVER` must have a common cipher. | | `SQLNET.ENCRYPTION_TYPES_SERVER` | `RC4_256`, `AES256`, `AES192`, `3DES168`, `RC4_128`, `AES128`, `3DES112`, `RC4_56`, `DES`, `RC4_40`, `DES40` | `RC4_256`, `AES256`, `AES192`, `3DES168`, `RC4_128`, `AES128`, `3DES112`, `RC4_56`, `DES`, `RC4_40`, `DES40` | A list of encryption algorithms used by the DB instance. The DB instance uses each algorithm, in order, to attempt to decrypt the client input until an algorithm succeeds or until the end of the list is reached. Amazon RDS uses the following default list from Oracle. You can change the order or limit the algorithms that the client will accept. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Options.NNE.Options.html) You can specify either one value or a comma-separated list of values. If you a comma, don't insert a space after the comma; otherwise, you receive an `InvalidParameterValue` error. This parameter and `SQLNET.SQLNET.ENCRYPTION_TYPES_SERVER` must have a common cipher. |