TLS 1.2 compliant ciphers

Document ID : KB000098486
Last Modified Date : 05/06/2018
Show Technical Document Details
Question:
Please let us know compatible ciphers to be enabled with TLS1.2.
Answer:
Long list of support Cipher suite in the online documentation
https://docops.ca.com/ca-api-gateway/9-1/en/configure-security/tasks-menu-security-options/manage-http-options/selecting-cipher-suites

Ideas

Based on the list some strong cipher suites to be used:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
My personal preference would be to use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as it provides
  • Integrity checking: GCM
  • Perfect forward secrecy: ECDHE
  • Uses strong encryption: AES_256
  • Uses a strong hashing algorithm: SHA384
  • It uses a key signed with an RSA certificate authority which is supported by most internal certificate authorities.