The default setting for the Cipher suites list is specified as follows:
@SECLEVEL=0 kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
This list provides the following security in order of priority:
The default cipher list results in the following cipher collection, which contains medium strength ciphers when used with an RSA certificate:
Cipher Suite Name (OpenSSL) | Key Exchange | Encryption | Key Length |
---|---|---|---|
ECDHE-RSA-AES256-GCM-SHA384 | ECDH 256 | AES GCM | 256 |
ECDHE-RSA-AES256-SHA384 | ECDH 256 | AES | 256 |
ECDHE-RSA-AES256-SHA | ECDH 256 | AES | 256 |
DHE-RSA-AES256-GCM-SHA384 | DH 1024 | AES GCM | 256 |
DHE-RSA-AES256-SHA256 | DH 1024 | AES | 256 |
DHE-RSA-AES256-SHA | DH 1024 | AES | 256 |
DHE-RSA-CAMELLIA256-SHA | DH 1024 | Camellia | 256 |
AES256-GCM-SHA384 | RSA | AES GCM | 256 |
AES256-SHA256 | RSA | AES | 256 |
AES256-SHA | RSA | AES | 256 |
CAMELLIA256-SHA | RSA | Camellia | 256 |
ECDHE-RSA-AES128-GCM-SHA256 | ECDH 256 | AES GCM | 128 |
ECDHE-RSA-AES128-SHA256 | ECDH 256 | AES | 128 |
ECDHE-RSA-AES128-SHA | ECDH 256 | AES | 128 |
DHE-RSA-AES128-GCM-SHA256 | DH 1024 | AES GCM | 128 |
DHE-RSA-AES128-SHA256 | DH 1024 | AES | 128 |
DHE-RSA-AES128-SHA | DH 1024 | AES | 128 |
DHE-RSA-SEED-SHA | DH 1024 | SEED | 128 |
DHE-RSA-CAMELLIA128-SHA | DH 1024 | Camellia | 128 |
AES128-GCM-SHA256 | RSA | AES GCM | 128 |
AES128-SHA256 | RSA | AES | 128 |
AES128-SHA | RSA | AES | 128 |
SEED-SHA | RSA | SEED | 128 |
CAMELLIA128-SHA | RSA | Camellia | 128 |
ECDHE-RSA-DES-CBC3-SHA | ECDH 256 | 3DES | 168 |
EDH-RSA-DES-CBC3-SHA | DH 1024 | 3DES | 168 |
DES-CBC3-SHA | RSA | 3DES | 168 |
Micro Focus suggests using the following Cipher suites string to provide improved security:
HIGH:!SSLv2:!RC4:!aNULL@STRENGTH
When used with an RSA certificate this Cipher suites string provides the following cipher collection:
Cipher Suite Name (OpenSSL) | Key Exchange | Encryption | Key Length |
---|---|---|---|
ECDHE-RSA-AES256-GCM-SHA384 | ECDH 256 | AES GCM | 256 |
ECDHE-RSA-AES256-SHA384 | ECDH 256 | AES | 256 |
ECDHE-RSA-AES256-SHA | ECDH 256 | AES | 256 |
DHE-RSA-AES256-GCM-SHA384 | DH 1024 | AES GCM | 256 |
DHE-RSA-AES256-SHA256 | DH 1024 | AES | 256 |
DHE-RSA-AES256-SHA | DH 1024 | AES | 256 |
DHE-RSA-CAMELLIA256-SHA | DH 1024 | Camellia | 256 |
AES256-GCM-SHA384 | RSA | AES GCM | 256 |
AES256-SHA256 | RSA | AES | 256 |
AES256-SHA | RSA | AES | 256 |
CAMELLIA256-SHA | RSA | Camellia | 256 |
ECDHE-RSA-AES128-GCM-SHA256 | ECDH 256 | AES GCM | 128 |
ECDHE-RSA-AES128-SHA256 | ECDH 256 | AES | 128 |
ECDHE-RSA-AES128-SHA | ECDH 256 | AES | 128 |
DHE-RSA-AES128-GCM-SHA256 | DH 1024 | AES GCM | 128 |
DHE-RSA-AES128-SHA256 | DH 1024 | AES | 128 |
DHE-RSA-AES128-SHA | DH 1024 | AES | 128 |
DHE-RSA-CAMELLIA128-SHA | DH 1024 | Camellia | 128 |
AES128-GCM-SHA256 | RSA | AES GCM | 128 |
AES128-SHA256 | RSA | AES | 128 |
AES128-SHA | RSA | AES | 128 |
CAMELLIA128-SHA | RSA | Camellia | 128 |
You can add or remove individual cipher suites as required. To order the available cipher suites you can use a combination of cipher operators. See Configuring a TLS Protocols String for more information.
Cipher suites can be included in your preferred list but they may not be offered to clients if their certificate and keys do not support that cipher suite.
If both the ECDSA and RSA methods of authentication are supported by the cipher list, then configuring a strong cipher list is independent of the type of authentication being supported. For example, when being used with RSA certificates the ECDSA aspect of the cipher list is ignored.
The Cipher suites string is ordered in priority with the highest preference first and the lowest preference last.
Should you require compatibility with older browsers or clients then insert MEDIUM after HIGH and remove !MEDIUM, as follows:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +SHA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
The use of MEDIUM allows the use of older SSL3 and TLS1 cipher suites which would otherwise be unusable even though those older protocols may have been selected.
The above cipher suite lists break down as follows: