Oracle 23ai/26ai support TLS 1.3. The documentation contains some notes about configuration, but chances are you won't need to do anything to take advantage of it, assuming the downstream sites support it. - Migrating to Transport Layer Security Version 1.3

From Oracle 23ai/26ai onward it is possible to use the root certificates in the operating system certificate store to validate database callouts, rather than using a client wallet. This is demonstrated in the following article. - Transport Layer Security (TLS) Connections without a Client Wallet in Oracle Database 23ai/26ai

Local auto-login wallets are now more tightly bound their their host, whether it is physical or virtual, making them more secure than those created in previous versions of the database.

From 23ai/26ai onward DN matching has tightened up to include checking listener and server certificates. The parameter defaults to FALSE, but setting it to TRUE in the "sqlnet.ora" file reduces the DN matching security to the level of previous releases. Despite being new, the parameter is already deprecated, so it should only be used as a stop-gap if the tightened security causes a problem.

From Oracle 23ai/26ai onward we can prevent the use of deprecated ciphers by setting the parameter in the "sqlnet.ora" file. This parameter defaults to TRUE, so we must explicitly set it to FALSE to prevent the use of weak ciphers. For more information see: - Migrating to Transport Layer Security Version 1.3 - Transport Layer Security Connections without a Client Wallet - Improved and More Secure Local Auto-Login Wallets - New sqlnet.ora Parameter to Prevent the Use of Deprecated Ciphers - Use of the SSL_ALLOW_WEAK_DN_MATCH Parameter to Control SSL_SERVER_DN_MATCH - Transport Layer Security (TLS) Connections without a Client Wallet in Oracle Database 23ai/26ai Hope this helps. Regards Tim...