TLS 1.2 Compliant Ciphers in API Gateway

Document ID : KB000098486
Last Modified Date : 18/01/2019
Show Technical Document Details
Question:
  • What are the compatible cipher suites to be enabled for TLSv1.2?
Answer:
  • There is a list of supported cipher suites in the documentation here: https://docops.ca.com/ca-api-gateway/9-1/en/configure-security/tasks-menu-security-options/manage-http-options/selecting-cipher-suites
  • Based on the list of strong cipher suites, the following could be used as one example:
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_256_GCM_SHA384
  • One suggestion is to use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as it provides the following:
    • Integrity checking (GCM)
    • Perfect forward security (ECDHE)
    • Strong encryption (AES_256)
    • Strong hashing algorithm (SHA384)
    • A key signed with an RSA certificate authority whichi s supported by most internal certificate authorities
Additional Information:
  • Using the strong cipher suites should allow for an "A" rating on SSLLabs (a tool for checking the strength of the certificate)