Cipher Suites Shipped With the ProxySG and ASG Appliances

book

Article ID: 170130

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The following table lists cipher suites that are shipped with the appliance for a specific version of SGOS.

For additional information, refer to the "Managing X.509 Certificates" chapter in the SGOS Administration Guide.

Notes:

  • In the Strength column, "Export" refers to the 1990s-era cryptography export restrictions that limited key length to 40 bytes. Those restrictions are no longer in force, but the Export strength category remains in OpenSSL. These ciphers are thus supported on the appliance for historical reasons. 
  • In the Shipped with Versions column, a specific release (such as "6.6.5.13") means that the cipher is available starting in that release.
  • Access logs record unsupported ciphers under their hex values. For example, TLS_AES_128_GCM_SHA256 is unsupported on version 6.7.x and is access-logged as “0x1301(unsupported)”.

Resolution

 

Cipher Name on the Appliance Hex Value IANA Name Strength Key Size
in Bits
Shipped with Versions
AES128-SHA256 0x003C TLS_RSA_WITH_AES_128_CBC_SHA256 High 128 6.5 to 7.x  
AES256-SHA256 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 High 256 6.6 to 7.x  
AES128-SHA 0x002F TLS_RSA_WITH_AES_128_CBC_SHA Medium 128 6.5 to 7.x  
AES256-SHA 0x0035 TLS_RSA_WITH_AES_256_CBC_SHA High 256 6.5 to 7.x  
DHE-RSA-AES128-SHA 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA High 128 6.5 to 7.x  
DHE-RSA-AES256-SHA 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA High 256 6.5 to 7.x  
DES-CBC3-SHA 0x000A TLS_RSA_WITH_3DES_EDE_CBC_SHA High 168 6.5 to 7.x  
RC4-SHA 0x0005 TLS_RSA_WITH_RC4_128_SHA Medium 128 6.5 to 7.x  
RC4-MD5 0x0004 TLS_RSA_WITH_RC4_128_MD5 Medium 128 6.5 to 7.x  
DES-CBC-SHA 0x0009 TLS_RSA_WITH_DES_CBC_SHA Low 56 6.5 to 7.1  
EXP-DES-CBC-SHA 0x0008 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Export 40 6.5 to 7.1  
EXP-RC4-MD5 0x0003 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Export 40 6.5 to 7.1  
EXP-RC2-CBC-MD5 0x0006 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Export 40 6.5 to 7.1  
AES128-GCM-SHA256 0x009C TLS_RSA_WITH_AES_128_GCM_SHA256 High 128 6.7 to 7.x  
AES256-GCM-SHA384 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384 High 256

6.5.10.6+, 6.6.5.13+,
6.7 to to 7.x

 
TLS_AES_256_GCM_SHA384 0x1302 TLS_AES_256_GCM_SHA384 High 256 7.2, 7.3  
TLS_CHACHA20_POLY1305_SHA256 0x1303 TLS_CHACHA20_POLY1305_SHA256 High 256 7.2, 7.3  
TLS_AES_128_GCM_SHA256  0x1301 TLS_AES_128_GCM_SHA256  High 128 7.2, 7.3  
TLS_AES_128_CCM_8_SHA256  0x1305 TLS_AES_128_CCM_8_SHA256  High 128 7.2, 7.3  
TLS_AES_128_CCM_SHA256  0x1304 TLS_AES_128_CCM_SHA256  High 128 7.2, 7.3  
The appliance supports HTTPS interception in forward proxy mode when sites use the following DHE-DSS ciphers. These ciphers are available in upstream connections in forward proxy mode:  
DHE-DSS-AES128-SHA 0x0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA Medium 128 6.5 to 7.x  
DHE-DSS-AES128-SHA256 0x0040 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Medium 128 6.5 to 7.x  
DHE-DSS-AES256-SHA 0x0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA High 256 6.5 to 7.x  
DHE-DSS-AES256-SHA256 0x006A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 High 256 6.5 to 7.x  
DHE-DSS-DES-CBC-SHA 0x0012 TLS_DHE_DSS_WITH_DES_CBC_SHA Low 56 6.5 to 7.1  
DHE-DSS-DES-CBC3-SHA 0x0013 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Medium 168 6.5 to 7.1  
EXP-DHE-DSS-DES-CBC-SHA 0x0011 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA Export 40 6.5 to 7.x  
DHE-DSS-AES256-GCM-SHA384 0x00A3 TLS_DHE_DSS_WITH_AES_128_GCM_SHA384 High 256 6.6.5.13 to 7.x  
DHE-DSS-AES128-GCM-SHA256 0x00A2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 Medium 128 6.6.5.13 to 7.x  
DHE-RSA-AES128-GCM-SHA256 0x009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 High 128 6.5.10.6+, 6.6.5.13+,
6.7 to 7.x
 
DHE-RSA-AES256-GCM-SHA384 0x009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 High 256 6.5.10.6+, 6.6.5.13+,
6.7 to 7.x
 
The appliance supports HTTPS interception in forward proxy mode when sites use the following ECDHE ciphers. The following variants of ECDHE-RSA are available in upstream connections in forward proxy mode:  
ECDHE-RSA-AES128-SHA 0xC013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA High 128
6.5.6.1+,
6.6.5.13+ (also in reverse proxy mode), 6.7 to 7.x
 
ECDHE-RSA-AES256-SHA 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA High 256
6.5.6.1+,
6.6.5.13+ (also in reverse proxy mode), 6.7 to 7.x
 
ECDHE-RSA-AES128-SHA256 0xC027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 High 128
6.5.6.1+,
6.6.5.13+ (also in reverse proxy mode), 6.7 to 7.x
 
ECDHE-RSA-AES128-GCM-SHA256 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 High 128
6.5.6.1+,
6.6.5.13+ (also in reverse proxy mode), 6.7 to 7.x
 
ECDHE-RSA-RC4-SHA 0xC011 TLS_ECDHE_RSA_WITH_RC4_128_SHA High 256
6.5.6.1+,
6.6.5.13+ (also in reverse proxy mode), 6.7 to 7.x
 
The appliance supports HTTPS interception in forward proxy mode when sites use the following ECDHE ciphers. The following variants of ECDHE-DSA are available in upstream connections in forward proxy mode:  
ECDHE-ECDSA-AES128-SHA256 0xC023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 High 128
6.5.7.1 to 7.x
 
ECDHE-ECDSA-AES128-GCM-SHA256 0xC02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 High 128
6.5.7.1+, 
6.6.5.13+, 6.7 to 7.x
 
ECDHE-ECDSA-RC4-SHA 0xC007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA High 128
6.5.7.1 to 7.x
 
ECDHE-ECDSA-AES128-SHA 0xC009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA High 128
6.5.7.1 to 7.x
 
ECDHE-ECDSA-AES256-SHA 0xC00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA High 256 6.5.7.1 to 7.x  
The appliance supports HTTPS interception in forward proxy mode when sites use the following SHA384 ciphers. The following variants of ECDHE-ECDSA are available in upstream connections in forward proxy mode:  
ECDHE-ECDSA-AES256-SHA384 0xC024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 High 256 6.5.10.6+, 6.6.5.13+, 
6.7 to 7.x
 
ECDHE-ECDSA-AES256-GCM-SHA384 0xC02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 High 256 6.5.10.6+, 6.6.5.13+, 
6.7 to 7.x
 
ECDHE-RSA-AES256-SHA384 0xC028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 High 256 6.5.10.6+, 6.6.5.13+, 
6.7 to 7.x
 
ECDHE-RSA-AES256-GCM-SHA384 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 High 256 6.5.10.6+, 6.6.5.13+, 
6.7 to 7.x