Manage cipher suites

This section describes how to define the cipher suites that can be used during secure exchanges between Transfer CFT and the access management connector.

Set the cipher suites

This section describes how to specify the cipher suites using the following parameters:

  • ssl.ciphersuites
  • copilot.ssl.sslciphersuites

Procedure

You can use these UCONF parameters to define the cipher suites:

Parameter Description Type Possible values Default value
ssl.ciphersuites Defines the cipher suite to be used between the Transfer CFT connectors. int_list See the table below 49200, 49199, 156, 157, 60, 61, 47, 53

copilot.ssl.sslciphersuites

Defines the cipher suite to be used between the Transfer CFT UI client and UI server.

int_list See the table below $(ssl.ciphersuites)

Supported suites

Suite 

Authentication 

Confidentiality 

Integrity 

1 RSA authentication (512, 1024, 2048, or 4096)  None MD5
2 RSA authentication (512, 1024, 2048, or 4096) None SHA-1
4 RSA authentication (512, 1024, 2048, or 4096) RC4 MD5
5 RSA authentication (512, 1024, 2048, or 4096) RC4 SHA-1
9 RSA authentication (512, 1024, 2048, or 4096) DES SHA-1
10 RSA authentication (512, 1024, 2048, or 4096) Triple DES SHA-1
47 RSA authentication (512, 1024, 2048, or 4096) AES-128 SHA-1
53 RSA authentication (512, 1024, 2048, or 4096) AES-256 SHA-1
59* RSA authentication (512, 1024, 2048, or 4096) None SHA-256
60* RSA authentication (512, 1024, 2048, or 4096) AES-128 SHA-256
61* RSA authentication (512, 1024, 2048, or 4096) AES-256 SHA-256
156 RSA authentication AES 128 GCM SHA-256
157 RSA authentication AES 256 GCM SHA-384
49191

ECDHE + RSA authentication

AES-128 SHA-256
49192 ECDHE + RSA authentication AES-256 SHA-384
49199 ECDHE + RSA authentication AES-128 GCM SHA-256
49200 ECDHE + RSA authentication AES-256 GCM SHA-384
Note *In order to comply with security standards, as of version 3.2.0 Transfer CFT restricts the use of the cipher suites 59, 60, and 61 to only TLS 1.2. Interoperability with Transfer CFTs that have a version lower than 3.2.0 is not possible using these cipher suites. Both the current and previous version downgrade to the same cipher suite, among the defined cipher suites, if you are using the ciphers suites 59, 60, and 61.

Perfect Forward Secrecy support

Transfer CFT supports Perfect Forward Secrecy (PFS) with ECDHE_RSA cipher suites. PFS ensures that sessions using long-term public and private keys will not be compromised if one of the private keys is compromised in the future. With PFS, systems can negotiate new keys for every communication, and if a key is compromised only that specific session is vulnerable.

For more information, refer to www.perfectforwardsecrecy.com

Related Links