Cipher Suites Shipped With the ProxySG and ASG Appliances
Article ID: 170130
Updated On:
Products
Advanced Secure Gateway Software - ASG
ProxySG Software - SGOS
Issue/Introduction
The following table lists cipher suites that are shipped with the appliance for a specific version of SGOS.
For additional information, refer to the "Managing X.509 Certificates" chapter in the SGOS Administration Guide.
Resolution
Notes:
- In the Strength column, "Export" refers to the 1990s-era cryptography export restrictions that limited key length to 40 bytes. Those restrictions are no longer in force, but the Export strength category remains in OpenSSL. These ciphers are thus supported on the appliance for historical reasons.
- In the Shipped with columns, "x" means that the cipher is available in all releases of the specified version.
- In the Shipped with columns, a specific release (such as "6.6.5.13") means that the cipher is available starting in that release.
- Access logs record unsupported ciphers under their hex values. For example, TLS_AES_128_GCM_SHA256 is unsupported on version 6.7.x and is access-logged as
“0x1301(unsupported)”.
| Cipher Name on the Appliance | Hex Value | IANA Name | Strength |
Key Size |
Shipped with 6.5.x | Shipped with 6.6.x | Shipped with 6.7.x | Shipped with 7.1.x | Shipped with 7.2.x |
|---|---|---|---|---|---|---|---|---|---|
| AES128-SHA256 | 0x003C | TLS_RSA_WITH_AES_128_CBC_SHA256 | High | 128 | x | x | x | x | x |
| AES256-SHA256 | 0x003D | TLS_RSA_WITH_AES_256_CBC_SHA256 | High | 256 | x | x | x | x | |
| AES128-SHA | 0x002F | TLS_RSA_WITH_AES_128_CBC_SHA | Medium | 128 | x | x | x | x | x |
| AES256-SHA | 0x0035 | TLS_RSA_WITH_AES_256_CBC_SHA | High | 256 | x | x | x | x | x |
| DHE-RSA-AES128-SHA | 0x0033 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | High | 128 | x | x | x | x | x |
| DHE-RSA-AES256-SHA | 0x0039 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | High | 256 | x | x | x | x | x |
| DES-CBC3-SHA | 0x000A | TLS_RSA_WITH_3DES_EDE_CBC_SHA | High | 168 | x | x | x | x | x |
| RC4-SHA | 0x0005 | TLS_RSA_WITH_RC4_128_SHA | Medium | 128 | x | x | x | x | x |
| RC4-MD5 | 0x0004 | TLS_RSA_WITH_RC4_128_MD5 | Medium | 128 | x | x | x | x | x |
| DES-CBC-SHA | 0x0009 | TLS_RSA_WITH_DES_CBC_SHA | Low | 56 | x | x | x | x | |
| EXP-DES-CBC-SHA | 0x0008 | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | Export | 40 | x | x | x | x | |
| EXP-RC4-MD5 | 0x0003 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | Export | 40 | x | x | x | x | |
| EXP-RC2-CBC-MD5 | 0x0006 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | Export | 40 | x | x | x | x | |
| AES128-GCM-SHA256 | 0x009C | TLS_RSA_WITH_AES_128_GCM_SHA256 | High | 128 | x | x | x | ||
| AES256-GCM-SHA384 | 0x009D | TLS_RSA_WITH_AES_256_GCM_SHA384 | High | 256 | 6.5.10.6 | 6.6.5.13 | x | x | x |
| TLS_AES_256_GCM_SHA384 | 0x1302 | TLS_AES_256_GCM_SHA384 | High | 256 |
|
x | |||
| TLS_CHACHA20_POLY1305_SHA256 | 0x1303 | TLS_CHACHA20_POLY1305_SHA256 | High | 256 |
|
x | |||
| TLS_AES_128_GCM_SHA256 | 0x1301 | TLS_AES_128_GCM_SHA256 | High | 128 |
|
x | |||
| TLS_AES_128_CCM_8_SHA256 | 0x1305 | TLS_AES_128_CCM_8_SHA256 | High | 128 |
|
x | |||
| TLS_AES_128_CCM_SHA256 | 0x1304 | TLS_AES_128_CCM_SHA256 | High | 128 |
|
x | |||
| The appliance supports HTTPS interception in forward proxy mode when sites use the following DHE-DSS ciphers. These ciphers are available in upstream connections in forward proxy mode: | |||||||||
| DHE-DSS-AES128-SHA | 0x0032 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA | Medium | 128 | x | x | x | x | x |
| DHE-DSS-AES128-SHA256 | 0x0040 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | Medium | 128 | x | x | x | x | x |
| DHE-DSS-AES256-SHA | 0x0038 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA | High | 256 | x | x | x | x | x |
| DHE-DSS-AES256-SHA256 | 0x006A | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | High | 256 | x | x | x | x | x |
| DHE-DSS-DES-CBC-SHA | 0x0012 | TLS_DHE_DSS_WITH_DES_CBC_SHA | Low | 56 | x | x | x | x | |
| DHE-DSS-DES-CBC3-SHA | 0x0013 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | Medium | 168 | x | x | x | x | x |
| EXP-DHE-DSS-DES-CBC-SHA | 0x0011 | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | Export | 40 | x | x | x | x | |
| DHE-DSS-AES256-GCM-SHA384 | 0x00A3 | TLS_DHE_DSS_WITH_AES_128_GCM_SHA384 | High | 256 | 6.6.5.13 |
x | x | x | |
| DHE-DSS-AES128-GCM-SHA256 | 0x00A2 | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | Medium | 128 | 6.6.5.13 |
x | x | x | |
| DHE-RSA-AES128-GCM-SHA256 | 0x009E | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | High | 128 | 6.5.10.6 | 6.6.5.13 |
x | x | x |
| DHE-RSA-AES256-GCM-SHA384 | 0x009F | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | High | 256 | 6.5.10.6 | 6.6.5.13 |
x | x | x |
| The appliance supports HTTPS interception in forward proxy mode when sites use the following ECDHE ciphers. The following variants of ECDHE-RSA are available in upstream connections in forward proxy mode: | |||||||||
| ECDHE-RSA-AES128-SHA | 0xC013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | High | 128 | 6.5.6.1 |
Also in reverse proxy mode. |
x | x | x |
| ECDHE-RSA-AES256-SHA | 0xC014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | High | 256 | 6.5.6.1 |
Also in reverse proxy mode. |
x | x | x |
| ECDHE-RSA-AES128-SHA256 | 0xC027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | High | 128 | 6.5.6.1 |
6.6.5.13 Also in reverse proxy mode. |
x | x | x |
| ECDHE-RSA-AES128-GCM-SHA256 | 0xC02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | High | 128 | 6.5.6.1 |
6.6.5.13 Also in reverse proxy mode. |
x | x | x |
| ECDHE-RSA-RC4-SHA | 0xC011 | TLS_ECDHE_RSA_WITH_RC4_128_SHA | High | 256 | 6.5.6.1 |
6.6.5.13 Also in reverse proxy mode. |
x | x | x |
| The appliance supports HTTPS interception in forward proxy mode when sites use the following ECDHE ciphers. The following variants of ECDHE-DSA are available in upstream connections in forward proxy mode: | |||||||||
| ECDHE-ECDSA-AES128-SHA256 | 0xC023 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | High | 128 | 6.5.7.1 |
x | x | x | x |
| ECDHE-ECDSA-AES128-GCM-SHA256 | 0xC02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | High | 128 | 6.5.7.1 |
6.6.5.13 |
x | x | x |
| ECDHE-ECDSA-RC4-SHA | 0xC007 | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | High | 128 | 6.5.7.1 |
x | x | x | x |
| ECDHE-ECDSA-AES128-SHA | 0xC009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | High | 128 | 6.5.7.1 |
x | x | x | x |
| ECDHE-ECDSA-AES256-SHA | 0xC00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | High | 256 | 6.5.7.1 | x | x | x | x |
| The appliance supports HTTPS interception in forward proxy mode when sites use the following SHA384 ciphers. The following variants of ECDHE-ECDSA are available in upstream connections in forward proxy mode: | |||||||||
| ECDHE-ECDSA-AES256-SHA384 | 0xC024 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | High | 256 | 6.5.10.6 | 6.6.5.13 | x | x | x |
| ECDHE-ECDSA-AES256-GCM-SHA384 | 0xC02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | High | 256 | 6.5.10.6 | 6.6.5.13 | x | x | x |
| ECDHE-RSA-AES256-SHA384 | 0xC028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | High | 256 | 6.5.10.6 | 6.6.5.13 | x | x | x |
| ECDHE-RSA-AES256-GCM-SHA384 | 0xC030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | High | 256 | 6.5.10.6 | 6.6.5.13 | x | x | x |
Feedback
Powered by
