Cipher suites
The following cipher suites are included with Platform. They are Federal Information Processing Standard (FIPS) compliant and validated with the installed java.security file settings. Unless you define a different set of cipher suites, these are the cipher suites used for the SSL handshake on an SSL connection.
Cipher |
---|
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
Was this page helpful? Yes No
Submitting...
Thank you
Comments
When will this list be updated? 3DES is no longer considered secure enough, and SSL_RSA... and SSL_DHE... are no longer secure. What about the 256-bit and 384-bit ciphers?
Hi Greg,
Thanks for bringing it our notice. I will work with the team to get it updated soon.
@Shweta_Hardikar please reference case #00756690 for updates.
Effectively, only RSA ciphers using RSA, DH_RSA, and DHE_RSA are currently supported. DSA and ECC signed certificates have not been tested. Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) ciphers are not supported with v8.2.0.
CBC ciphers are potentially insecure and are being reported as causing issues.
Standard Diffie-Hellman (DH) and Elliptic-Curve Diffie-Hellman (ECDH) ciphers are deprecated in TLSv1.3. The TLSv1.3 standard mandates use of Diffie-Hellman Ephemeral (DHE) ciphers.
It's now been more than 3 months with no updates...
Hi Greg,
Apologies for the delayed update.
We've not yet upgraded to TLS v1.3, hence, the Cipher Suites listed here are the ones still included in this version of the platform. As part of the case, you may have received an updated list by the customer engineering team. However, these are still the ones available out-of-the-box.
Let me know if this is good.
You've obviously missed the point. Yes, the listed cipher suites are the supported cipher suites. You are continuing to include insecure, potentially insecure, and deprecated suites that should no longer be used. As I noted from case #00756690, "only RSA ciphers using RSA, DH_RSA, and DHE_RSA are currently supported." The list above includes SSL cipher suites, 3DES cipher suites, and all of them use CBC cipher suites, which are being reported as causing issues and are considered to be potentially insecure.
Hi Greg,
I understand your concern, however, the team is working on updating the ciphers for the upcoming release. We will update the doc after the new ciphers are validated.
Log in or register to comment.