Cipher Suites Shipped With the Edge SWG (Proxy SG) and ASG Appliances

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The following table lists cipher suites that are shipped with the appliance for a specific version of SGOS.

For additional information, refer to the "Managing X.509 Certificates" chapter in the SGOS Administration Guide.

Notes:

The following table lists cipher suites that are provided with the appliance for a specific version of SGOS.

For additional information, refer to the "Managing X.509 Certificates" chapter in the SGOS Administration Guide.

Notes:

- In the Strength column, "Export" refers to the 1990s-era cryptography export restrictions that limited key length to 40 bytes. Those restrictions are no longer in force, but the Export strength category remains in OpenSSL. These ciphers are thus supported on the appliance for historical reasons.
- In the ‘Shipped with Versions’ column, a specific release (such as "6.6.5.13") means that the cipher is available starting in that release.
- Access logs record unsupported ciphers under their hex values. For example, TLS_AES_128_GCM_SHA256 is unsupported on version 6.7.x and is access-logged as “0x1301(unsupported)”.
- In ‘Disabled by Default’:
  - Note 1: DHE ciphers are disabled by default. Use #(config ssl)proxy dhe-ciphers enable to enable.
  - Note 2: For HTTPS Management console - CBC and weak ciphers are disabled by default

Resolution

Orders of the ciphers are from modern to legacy. A new column reflecting (EC)DSA/DSS available only on upstream fwd proxy connections. In addition, a column for FIPS 140-3 management plane ciphers.

Cipher Name on the Appliance	Hex Value	IANA Name	Strength	Key Size (Bits)	Shipped with Versions	Disabled by Default	Available only in forward proxy upstream connection	Allowed in FIPS 140-3 (Mgmt)
TLS_AES_256_GCM_SHA384	0x1302	TLS_AES_256_GCM_SHA384	High	256	7.2+			Y
TLS_AES_128_GCM_SHA256	0x1301	TLS_AES_128_GCM_SHA256	High	128	7.2+			Y
TLS_CHACHA20_POLY1305_SHA256	0x1303	TLS_CHACHA20_POLY1305_SHA256	High	256	7.2+
TLS_AES_128_CCM_8_SHA256	0x1305	TLS_AES_128_CCM_8_SHA256	High	128	7.2+			Y
TLS_AES_128_CCM_SHA256	0x1304	TLS_AES_128_CCM_SHA256	High	128	7.2+			Y
ECDHE-ECDSA-AES256-GCM-SHA384	0xC02C	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	High	256	6.5.10.6+, 6.6.5.13+, 6.7 to 7.x		X
ECDHE-ECDSA-AES128-GCM-SHA256	0xC02B	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	High	128	6.5.7.1+, 6.6.5.13+, 6.7 to 7.x		X
ECDHE-RSA-AES256-GCM-SHA384	0xC030	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	High	256	6.5.10.6+, 6.6.5.13+, 6.7 to 7.x			Y
ECDHE-RSA-AES128-GCM-SHA256	0xC02F	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	High	128	6.5.6.1+, 6.6.5.13+, 6.7 to 7.x			Y
ECDHE-ECDSA-AES256-SHA384	0xC024	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	High	256	6.5.10.6+, 6.6.5.13+, 6.7 to 7.x		X
ECDHE-ECDSA-AES128-SHA256	0xC023	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	High	128	6.5.7.1 to 7.x		X
ECDHE-RSA-AES256-SHA384	0xC028	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	High	256	6.5.10.6+, 6.6.5.13+, 6.7 to 7.x	2		Y
ECDHE-RSA-AES128-SHA256	0xC027	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	High	128	6.5.6.1+, 6.6.5.13+, 6.7 to 7.x	2		Y
ECDHE-ECDSA-AES256-SHA	0xC00A	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	High	256	6.5.7.1 to 7.x		X
ECDHE-ECDSA-AES128-SHA	0xC009	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	High	128	6.5.7.1 to 7.x		X
ECDHE-RSA-AES256-SHA	0xC014	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	High	256	6.5.6.1+, 6.6.5.13+, 6.7 to 7.x	2		Y
ECDHE-RSA-AES128-SHA	0xC013	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	High	128	6.5.6.1+, 6.6.5.13+, 6.7 to 7.x	2		Y
DHE-RSA-AES256-GCM-SHA384	0x009F	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	High	256	6.5.10.6+, 6.6.5.13+, 6.7 to 7.x	1		Y
DHE-RSA-AES128-GCM-SHA256	0x009E	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	High	128	6.5.10.6+, 6.6.5.13+, 6.7 to 7.x	1		Y
DHE-DSS-AES256-GCM-SHA384	0x00A3	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384	High	256	6.6.5.13 to 7.x	1	X
DHE-DSS-AES128-GCM-SHA256	0x00A2	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256	Medium	128	6.6.5.13 to 7.x	1	X
DHE-RSA-AES256-SHA	0x0039	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	High	256	6.5 to 7.x	1		Y
DHE-RSA-AES128-SHA	0x0033	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	High	128	6.5 to 7.x	1		Y
DHE-DSS-AES256-SHA256	0x006A	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256	High	256	6.5 to 7.x	1	X
DHE-DSS-AES128-SHA256	0x0040	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256	Medium	128	6.5 to 7.x	1	X
DHE-DSS-AES256-SHA	0x0038	TLS_DHE_DSS_WITH_AES_256_CBC_SHA	High	256	6.5 to 7.x	1	X
DHE-DSS-AES128-SHA	0x0032	TLS_DHE_DSS_WITH_AES_128_CBC_SHA	Medium	128	6.5 to 7.x	1	X
AES256-GCM-SHA384	0x009D	TLS_RSA_WITH_AES_256_GCM_SHA384	High	256	6.5.10.6+, 6.6.5.13+, 6.7 to to 7.x
AES128-GCM-SHA256	0x009C	TLS_RSA_WITH_AES_128_GCM_SHA256	High	128	6.7 to 7.x
AES256-SHA256	0x003D	TLS_RSA_WITH_AES_256_CBC_SHA256	High	256	6.6 to 7.x	2
AES128-SHA256	0x003C	TLS_RSA_WITH_AES_128_CBC_SHA256	High	128	6.5 to 7.x	2
AES256-SHA	0x0035	TLS_RSA_WITH_AES_256_CBC_SHA	High	256	6.5 to 7.x	2
AES128-SHA	0x002F	TLS_RSA_WITH_AES_128_CBC_SHA	Medium	128	6.5 to 7.x	2
ECDHE-ECDSA-RC4-SHA	0xC007	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA	High	128	6.5.7.1 to 7.x		X
ECDHE-RSA-RC4-SHA	0xC011	TLS_ECDHE_RSA_WITH_RC4_128_SHA	High	128	6.5.6.1+, 6.6.5.13+, 6.7 to 7.x	2
DHE-DSS-DES-CBC3-SHA	0x0013	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA	Medium	168	6.5 to 7.1	1	X
DES-CBC3-SHA	0x000A	TLS_RSA_WITH_3DES_EDE_CBC_SHA	High	168	6.5 to 7.x	2
RC4-SHA	0x0005	TLS_RSA_WITH_RC4_128_SHA	Medium	128	6.5 to 7.x	2
RC4-MD5	0x0004	TLS_RSA_WITH_RC4_128_MD5	Medium	128	6.5 to 7.x	2
DES-CBC-SHA	0x0009	TLS_RSA_WITH_DES_CBC_SHA	Low	56	6.5 to 7.1	2
EXP-DES-CBC-SHA	0x0008	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA	Export	40	6.5 to 7.1	2
EXP-RC4-MD5	0x0003	TLS_RSA_EXPORT_WITH_RC4_40_MD5	Export	40	6.5 to 7.1	2
EXP-RC2-CBC-MD5	0x0006	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	Export	40	6.5 to 7.1	2
DHE-DSS-DES-CBC-SHA	0x0012	TLS_DHE_DSS_WITH_DES_CBC_SHA	Low	56	6.5 to 7.1	1	X
EXP-DHE-DSS-DES-CBC-SHA	0x0011	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	Export	40	6.5 to 7.1	1	X