Cipher Suites Shipped With the Edge SWG (Proxy SG) and ASG Appliances
Article ID: 170130
Updated On:
Products
Issue/Introduction
The following table lists cipher suites that are shipped with the appliance for the different versions of SGOS.
Notes:
-
In the Strength column, "Export" refers to the 1990s-era cryptography export restrictions that limited key length to 40 bytes. Those restrictions are no longer in force, but the Export strength category remains in OpenSSL. These ciphers are thus supported on the appliance for historical reasons.In the Shipped with Versions column, if a specific release (such as "7.3.11") is listed, that means that the cipher is available starting in that release.Access logs record unsupported ciphers under their hex values. For example, TLS_AES_128_GCM_SHA256 is unsupported on version 6.7.x and is access-logged as “0x1301(unsupported)”.In Disabled by Default:- DHE ciphers are disabled by default for the forward proxy. Use the
#(config ssl)proxy dhe-ciphers enableCLI command to enable these ciphers. - For the Admin Console, CBC and weak ciphers are disabled by default.
- Before SGOS 7.4.10, ECDSA was limited to only upstream proxy connections. Full support for ECDSA was added in 7.4.10.
- DHE ciphers are disabled by default for the forward proxy. Use the
Resolution
The ciphers are in order from modern to legacy. The column Available Only in Forward Proxy Upstream Connections notes the (EC)DSA/DSS suites that are available only on upstream forward proxy connections for versions earlier than 7.4.10.
|
Cipher Name on the Appliance |
Hex Value |
IANA Name |
Strength |
Key Size (Bits) |
Shipped with Versions |
Disabled by Default |
Available Only in Forward Proxy Upstream Connections |
Allowed in FIPS 140-3 (Mgmt) |
|
TLS_AES_256_GCM_SHA384 |
0x1302 |
TLS_AES_256_GCM_SHA384 |
High |
256 |
7.x |
|
||
|
TLS_AES_128_GCM_SHA256 |
0x1301 |
TLS_AES_128_GCM_SHA256 |
High |
128 |
7.x |
|
||
|
TLS_CHACHA20_POLY1305_SHA256 |
0x1303 |
TLS_CHACHA20_POLY1305_SHA256 |
High |
256 |
7.x |
|||
|
TLS_AES_128_CCM_8_SHA256 |
0x1305 |
TLS_AES_128_CCM_8_SHA256 |
High |
128 |
7.x |
|
||
|
TLS_AES_128_CCM_SHA256 |
0x1304 |
TLS_AES_128_CCM_SHA256 |
High |
128 |
7.x |
|
||
|
ECDHE-ECDSA-AES256-GCM-SHA384 |
0xC02C |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
High |
256 |
7.x |
|
4 |
|
|
ECDHE-ECDSA-AES128-GCM-SHA256 |
0xC02B |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
High |
128 |
7.x |
|
4 |
|
|
ECDHE-RSA-AES256-GCM-SHA384 |
0xC030 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
High |
256 |
7.x |
|
||
|
ECDHE-RSA-AES128-GCM-SHA256 |
0xC02F |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
High |
128 |
7.x |
|
||
|
ECDHE-ECDSA-AES256-SHA384 |
0xC024 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
High |
256 |
7.x |
2 |
|
4 |
|
ECDHE-ECDSA-AES128-SHA256 |
0xC023 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
High |
128 |
7.x |
2 |
|
|
|
ECDHE-RSA-AES256-SHA384 |
0xC028 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
High |
256 |
7.x |
|
|
|
|
ECDHE-RSA-AES128-SHA256 |
0xC027 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
High |
128 |
7.x |
|
|
|
|
ECDHE-ECDSA-AES256-SHA |
0xC00A |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
High |
256 |
7.x |
2 |
|
4 |
|
ECDHE-ECDSA-AES128-SHA |
0xC009 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
High |
128 |
7.x |
2 |
|
4 |
|
ECDHE-RSA-AES256-SHA |
0xC014 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
High |
256 |
7.x |
|
|
|
|
ECDHE-RSA-AES128-SHA |
0xC013 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
High |
128 |
7.x |
|
|
|
|
DHE-RSA-AES256-GCM-SHA384 |
0x009F |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
High |
256 |
7.x |
|
|
|
|
DHE-RSA-AES128-GCM-SHA256 |
0x009E |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
High |
128 |
7.x |
|
|
|
|
DHE-DSS-AES256-GCM-SHA384 |
0x00A3 |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
High |
256 |
7.x |
|
|
|
|
DHE-DSS-AES128-GCM-SHA256 |
0x00A2 |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
Medium |
128 |
7.x |
|
|
|
|
DHE-RSA-AES256-SHA |
0x0039 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
High |
256 |
7.x |
1, 2 |
|
|
|
DHE-RSA-AES128-SHA |
0x0033 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
High |
128 |
7.x |
|
|
|
|
DHE-DSS-AES256-SHA256 |
0x006A |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
High |
256 |
7.x |
|
|
|
|
DHE-DSS-AES128-SHA256 |
0x0040 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
Medium |
128 |
7.x |
|
|
|
|
DHE-DSS-AES256-SHA |
0x0038 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
High |
256 |
7.x |
|
|
|
|
DHE-DSS-AES128-SHA |
0x0032 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
Medium |
128 |
7.x |
|
|
|
|
AES256-GCM-SHA384 |
0x009D |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
High |
256 |
7.x |
|||
|
AES128-GCM-SHA256 |
0x009C |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
High |
128 |
7.x |
|||
|
AES256-SHA256 |
0x003D |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
High |
256 |
7.x |
|
||
|
AES128-SHA256 |
0x003C |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
High |
128 |
7.x |
|
||
|
AES256-SHA |
0x0035 |
TLS_RSA_WITH_AES_256_CBC_SHA |
High |
256 |
7.x |
|
||
|
AES128-SHA |
0x002F |
TLS_RSA_WITH_AES_128_CBC_SHA |
Medium |
128 |
7.x |
|
||
|
ECDHE-ECDSA-RC4-SHA |
0xC007 |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
High |
128 |
7.x |
2 |
|
|
|
ECDHE-RSA-RC4-SHA |
0xC011 |
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
High |
128 |
7.x |
|
||
|
DES-CBC3-SHA |
0x000A |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
High |
168 |
7.x |
|
||
|
RC4-SHA |
0x0005 |
TLS_RSA_WITH_RC4_128_SHA |
Medium |
128 |
7.x |
|
||
|
RC4-MD5 |
0x0004 |
TLS_RSA_WITH_RC4_128_MD5 |
Medium |
128 |
7.x |
|
||
|
DES-CBC-SHA |
0x0009 |
TLS_RSA_WITH_DES_CBC_SHA |
Low |
56 |
6.5 to 7.1 |
2 |
Feedback
