Selecting Ciphers for DLP
Article ID: 219871
Updated On:
Products
Issue/Introduction
Issue: You need to find a cipher suite to use with the latest version of DLP.
Environment
All
Cause
n/a
Resolution
When selecting a Cipher Suite to use with DLP, there are 3-4 main areas that we need to be concerned with, and finding a cipher suite that works across all of these areas is the goal...
Primary:
- Java
- OpenSSL
- TLS
Optional:
- FIPS
<<Java v1.8.0_262>>
To find the list of supported Cipher Suites for Java, you simply need to run the following command from the "\tomcat\lib" directory...
Command: java -cp catalina.jar org.apache.catalina.util.ServerInfo
In this case I am using DLP 15.8 with AdoptOpenJRE 1.8.0_262, which returns the following list...
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
<<OpenSSL v1.1.1>>
To find the OpenSSL Cipher Suites, you will first need to download OpenSSL.
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
Next, you will need to run the following command to display all OpenSSL Cipher Suites...
openssl ciphers -v 'ALL:eNULL'
In this case we are using OpenSSL v1.1.1 which will return the following list of Cipher Suites...
| TLS_AES_256_GCM_SHA384 |
| TLS_CHACHA20_POLY1305_SHA256 |
| TLS_AES_128_GCM_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_CHACHA20_POLY1305 |
| TLS_ECDHE_RSA_CHACHA20_POLY1305 |
| TLS_DHE_RSA_CHACHA20_POLY1305 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_SHA |
| TLS_DHE_RSA_WITH_AES_256_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_SHA |
| TLS_DHE_RSA_WITH_AES_128_SHA |
| TLS_RSA_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_PSK_CHACHA20_POLY1305 |
| TLS_DHE_PSK_CHACHA20_POLY1305 |
| TLS_ECDHE_PSK_CHACHA20_POLY1305 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_PSK_CHACHA20_POLY1305 |
| TLS_RSA_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_AES_256_SHA256 |
| TLS_AES_128_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_SRP_RSA_WITH_AES_256_CBC_SHA |
| TLS_SRP_AES_256_CBC_SHA |
| TLS_RSA_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_RSA_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_AES_256_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_SRP_RSA_WITH_AES_128_CBC_SHA |
| TLS_SRP_AES_128_CBC_SHA |
| TLS_RSA_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_AES_128_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA |
<<TLS v1.2>>
For TLS, we can find the list of supported Cipher Suites from the URL below...
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
Below is the list for TLS v1.2...
| TLS_RSA_WITH_NULL_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256 |
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 |
| TLS_DH_anon_WITH_AES_256_CBC_SHA256 |
| TLS_DH_anon_WITH_AES_128_GCM_SHA256 |
| TLS_DH_anon_WITH_AES_256_GCM_SHA384 |
<<Common Ciphers>>
The next thing we want to do is compare all 3 of the above lists, to find common Cipher Suites, and these would be the Cipher Suites we would look at for DLP 15.8 with TLS v1.2. In this case we see the below common Cipher Suites across all 3 lists...
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
<<FIPS v140_2>>
For FIPS we look at a similar process, we take the list of available FIPS cipher and compare that to the Java and OpenSSL list to find common Cipher Suites. You can get the list of FIPS Cipher Suites from the link below...
https://docs.informatica.com/data-integration/powerexchange-for-cdc-and-mainframe/10-0/reference-manual/secure-sockets-layer-support/fips-140-2-compliance/fips-140-2-compliant-cipher-suites.html
Below you will find the FIPS 140_2 list...
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA |
<<FIPS Common Ciphers>>
Here you will see a much smaller list of common ciphers that should work for customers using DLP 15.8 and FIPS 140_2...
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
Additional Information
DLP 15.8 Cipher Suites:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA |
DLP 15.8 with FIPS v140_2 Cipher Suites:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
Feedback
