Configuring a Cipher Suites List Using TLS v1.2 and Earlier

The Cipher suites field enables you to specify the list of ciphers to be used in order of preference of use. You can modify the Cipher suites available for use with your chosen TLS protocols string. The Cipher suites string is made up of:
  • Operators, such as those used in the TLS protocols string.
  • Keyword ciphers such as ALL, HIGH, MEDIUM, and LOW.
  • Cipher suites using a specific authentication or key agreement, such as ECDH.
The full list of permitted cipher strings is defined by OpenSSL. See the OpenSSL documentation for more information.
Note: The Cipher suites string is limited to 255 characters.

The default setting for the Cipher suites list is specified as follows:

@SECLEVEL=1 kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM !3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP

This list provides the following security in order of priority:

@SECLEVEL=1
Restricts the available signature algorithms and cipher suites in OpenSSL to a baseline secure collection. This is to prevent the accidental use of weaker or broken cryptography. This breaks compatibility with older certificates such as MD5 and those using small keys. This will also prevent connections to systems using TLS 1.1 and earlier, and connections from clients that do not send the signature algorithms extension.
kEECDH+ECDSA
The faster Elliptic Curve Cryptography (ECC) collection which supports Perfect Forward Security (PFS).
kEECDH
The remaining collection also supports PFS but uses the slower RSA keys.
kEDH
The remaining Diffie-Helman suites.
HIGH
All remaining high security suites not listed above.
MEDIUM
All remaining medium security suites not listed above.
!3DES
Specifies not to use any 3DES ciphers.
+SHA
Move all the older SHA suites to the end of the list.
!RC4
Specifies not to use any RC4 suites.
!aNULL
Specifies not to use any ciphers that do not authenticate.
!eNULL
Specifies not to use any ciphers that do not encrypt.
!LOW
Specifies not to use any low strength security cipher suites.
!MD5
Specifies not to use any MD5 ciphers.
!EXP
Specifies not to use any EXPORT strength ciphers.

The default cipher list results in the following cipher collection, which contains medium strength ciphers when used with an RSA certificate:

Cipher Suite Name (OpenSSL) Key Exchange Encryption Key Length
ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AES GCM 256
ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256
ECDHE-RSA-AES256-SHA ECDH 256 AES 256
DHE-RSA-AES256-GCM-SHA384 DH 1024 AES GCM 256
DHE-RSA-AES256-SHA256 DH 1024 AES 256
DHE-RSA-AES256-SHA DH 1024 AES 256
DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256
AES256-GCM-SHA384 RSA AES GCM 256
AES256-SHA256 RSA AES 256
AES256-SHA RSA AES 256
CAMELLIA256-SHA RSA Camellia 256
ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AES GCM 128
ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128
ECDHE-RSA-AES128-SHA ECDH 256 AES 128
DHE-RSA-AES128-GCM-SHA256 DH 1024 AES GCM 128
DHE-RSA-AES128-SHA256 DH 1024 AES 128
DHE-RSA-AES128-SHA DH 1024 AES 128
DHE-RSA-SEED-SHA DH 1024 SEED 128
DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128
AES128-GCM-SHA256 RSA AES GCM 128
AES128-SHA256 RSA AES 128
AES128-SHA RSA AES 128
SEED-SHA RSA SEED 128
CAMELLIA128-SHA RSA Camellia 128
ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168
EDH-RSA-DES-CBC3-SHA DH 1024 3DES 168
DES-CBC3-SHA RSA 3DES 168

Micro Focus suggests using the following Cipher suites string to provide improved security:

HIGH:!SSLv2:!RC4:!aNULL@STRENGTH

When used with an RSA certificate this Cipher suites string provides the following cipher collection:

Cipher Suite Name (OpenSSL) Key Exchange Encryption Key Length
ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AES GCM 256
ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256
ECDHE-RSA-AES256-SHA ECDH 256 AES 256
DHE-RSA-AES256-GCM-SHA384 DH 1024 AES GCM 256
DHE-RSA-AES256-SHA256 DH 1024 AES 256
DHE-RSA-AES256-SHA DH 1024 AES 256
DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256
AES256-GCM-SHA384 RSA AES GCM 256
AES256-SHA256 RSA AES 256
AES256-SHA RSA AES 256
CAMELLIA256-SHA RSA Camellia 256
ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AES GCM 128
ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128
ECDHE-RSA-AES128-SHA ECDH 256 AES 128
DHE-RSA-AES128-GCM-SHA256 DH 1024 AES GCM 128
DHE-RSA-AES128-SHA256 DH 1024 AES 128
DHE-RSA-AES128-SHA DH 1024 AES 128
DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128
AES128-GCM-SHA256 RSA AES GCM 128
AES128-SHA256 RSA AES 128
AES128-SHA RSA AES 128
CAMELLIA128-SHA RSA Camellia 128

You can add or remove individual cipher suites as required. To order the available cipher suites you can use a combination of cipher operators. See Configuring a TLS Protocols String for more information.

Cipher suites can be included in your preferred list but they may not be offered to clients if their certificate and keys do not support that cipher suite.

If both the ECDSA and RSA methods of authentication are supported by the cipher list, then configuring a strong cipher list is independent of the type of authentication being supported. For example, when being used with RSA certificates the ECDSA aspect of the cipher list is ignored.

The Cipher suites string is ordered in priority with the highest preference first and the lowest preference last.

Note: The default Security Level will be increased to 2 (@SECLEVEL=2) in the 10 release of Enterprise Developer for Visual Studio.