Configuring a Cipher Suites List Using TLS v1.3

Support for TLS v1.3 is enabled by default and will be negotiated in preference to older TLS protocols when the peer also supports TLS v1.3.

TLS v1.3 is the most secure TLS protocol available and brings with it new cipher suites and configuration options. It uses a shortened and more efficient initial connection negotiation sequence resulting in quicker connection times.

When updating existing installations, it is good practice to configure earlier TLS versions to operate alongside TLS v1.3. Once all peers have been upgraded to support TLS v1.3 you can disable the earlier TLS variants.

TLS v1.3 has reduced the requirement for long descriptive option lists that were used in TLS v1.2 and earlier. The following three aspects of negotiation have different configuration requirements from earlier version of TLS:

  • Cipher & Hash
  • Key Exchange
  • Signature Algorithm

The three aspects of negotiation are now configured separately. This means that the Cipher suites field cannot be used to configure the TLS v1.3 Cipher and Hash collections. You can specify the TLS v1.3 cipher suites in the TLS1.3 Cipher Suites field in ESCWA.

TLS1.3 Cipher Suites

The following are the new collections of cipher suites used in TLS v1.3:

  • TLS_AES_256_GCM_SHA384 (Enabled by default)
  • TLS_CHACHA20_POLY1305_SHA256 (Enabled by default)
  • TLS_AES_128_GCM_SHA256 (Enabled by default)
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256
Note: The last two collections need to be explicitly added if required. When creating a list, each collection is space separated, for example:
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256