Skip to content

cipher-suites.md

Latest commit

 

History

History
221 lines (169 loc) · 11.9 KB

cipher-suites.md

File metadata and controls

221 lines (169 loc) · 11.9 KB
copyright
years
2024, 2026
lastupdated 2026-04-29
keywords
subcollection cis

{{site.data.keyword.attribute-definition-list}}

Setting up cipher suites

{: #set-up-cipher-suites}

Cipher suites are a combination of algorithms and protocols that help to secure network connections during the TLS handshake. {{site.data.keyword.cis_full}} secures network connections by using edge and origin cipher suites. {: shortdesc}

Edge cipher suites

{: #edge-cipher-suites}

The following ciphers are supported at the cloud edge. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 IANA name
ECDHE-ECDSA-AES128-GCM-SHA256 Available TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-CHACHA20-POLY1305 Available TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES128-GCM-SHA256 Available TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-CHACHA20-POLY1305 Available TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-SHA256 Available TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE-ECDSA-AES128-SHA Available Available Available TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES128-SHA256 Available TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE-RSA-AES128-SHA Available Available Available TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
AES128-GCM-SHA256 Available TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA256 Available TLS_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA Available Available Available TLS_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384 Available TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-AES256-SHA384 Available TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-GCM-SHA384 Available TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-SHA384 Available TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-SHA Available Available Available TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES256-GCM-SHA384 Available TLS_RSA_WITH_AES_256_GCM_SHA384
AES256-SHA256 Available TLS_RSA_WITH_AES_256_CBC_SHA256
AES256-SHA Available Available Available TLS_RSA_WITH_AES_256_CBC_SHA
DES-CBC3-SHA Available TLS_RSA_WITH_3DES_EDE_CBC_SHA
AEAD-AES128-GCM-SHA256 Available TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384 Available TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256 Available TLS_CHACHA20_POLY1305_SHA256
{: caption="Edge cipher suites" caption-side="bottom"}

Origin cipher suites

{: #origin-cipher-suites}

The following ciphers are supported at the origin. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 IANA name
AEAD-AES128-GCM-SHA256 1 Available TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384 2 Available TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256 3 Available TLS_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 Available TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256 Available TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-SHA Available Available Available TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
AES128-GCM-SHA256 Available TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA Available Available Available TLS_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384 Available TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-SHA384 Available TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
AES256-SHA Available Available Available TLS_RSA_WITH_AES_256_CBC_SHA
DES-CBC3-SHA Available TLS_RSA_WITH_3DES_EDE_CBC_SHA
{: caption="Origin cipher suites" caption-side="bottom"}

Managing cipher suites from the CLI

{: #cli-manage-cipher-suites} {: cli}

You can manage cipher suites from the CLI.

Getting the cipher suites from the CLI

{: #get-cipher-suites}

To list the cipher variable, run the following command:

ibmcloud cis domain-settings DNS_DOMAIN_ID [-g, --group GROUP | -f, --feature FEATURE] [-i, --instance INSTANCE] [--output FORMAT]

{: pre}

Command options

{: #command-options-cipher}

DNS_DOMAIN_ID : The ID of the DNS domain. This option is required.

-f, --feature : Specifies the domain setting feature to check. This option is mutually exclusive with -g, --group. Set this option to the following variable: - ciphers: Defines an allowlist of TLS cipher suites for edge TLS termination, using the BoringSSL cipher format. This command lists only cipher suites that customers have explicitly allowlisted. If no cipher suites are allowlisted, the command returns an empty list and uses the default cipher suites. For the list of default cipher suites, see Edge cipher suites.

Example

{: #get-cipher-example}

Get ciphers settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings 31984fea73a15b45779fa0df4ef62f9b --feature "ciphers" --instance "cis-demo"

{: pre}

For more information, see ibmcloud cis domain-settings.

Updating the cipher suites from the CLI

{: #update-cipher-suites}

To update the cipher variable, run the following command:

ibmcloud cis domain-settings-update DNS_DOMAIN_ID (-f, --feature FEATURE) (-v, --value VALUE) [-i, --instance INSTANCE] [--output FORMAT]

{: pre}

Command options

{: #update-command-options}

DNS_DOMAIN_ID : The ID of the DNS domain. This option is required.

-f, --feature : Feature of domain settings to update. This option is required. Valid cipher value is: - ciphers : An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format.

-v, --value : Specifies the value to set for the feature on the domain. This option is required. - Valid values for tls_client_auth are on and off. - Valid values for ciphers are: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA - AES128-GCM-SHA256 - AES128-SHA256 - AES128-SHA - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - AES256-GCM-SHA384 - AES256-SHA256 - AES256-SHA - DES-CBC3-SHA - default

: For example, use -v default to reset the specific configured cipher suites like -v AES256-SHA256,AES256-SHA, to the default value.

Example

{: #update-cipher-example}

Enable tls_client_auth for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings-update 31984fea73a15b45779fa0df4ef62f9b --feature tls_client_auth --value on --instance "cis-demo"

{: pre}

For more information, see ibmcloud cis domain-settings-update.

To revert to the default cipher list, specify -v default after -f ciphers. {: note}

Managing cipher suites with the API

{: #api-manage-cipher-suites} {: api}

You can manage cipher suites with the API.

Getting ciphers with the API

{: #api-get-cipher}

To get ciphers with the API, take the following steps.

  1. Set up your environment with the right variables.
  2. Store any variables to be used in the API commands. For example,
    • crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
    • zone_identifier (string): The zone identifier.
  3. When all variables are initiated, get the ciphers:
curl -X GET https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'accept: application/json' -H 'x-auth-user-token: Bearer xxxxxx'

{: pre}

Updating ciphers with the API

{: #api-update-cipher}

To update ciphers with the API, take the following steps.

  1. Set up your environment with the right variables.
  2. Store any variables to be used in the API commands. For example,
    • crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
    • zone_identifier (string): The zone identifier.
    • value(string): The cipher suites that you want to include.
  3. When all variables are initiated, get the ciphers:
curl -X PATCH https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'x-auth-user-token: Bearer xxxxxx' -d '{"value": ["AES256-GCM-SHA384", "AES256-SHA256"]}'

{: pre}

Footnotes

  1. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3.

  2. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3.

  3. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3.