Default configuration From Policy Manager Show they are all “weak" Ciphers. Here’s the default config of this port:
- Is Broadcom planning to update the default installation of port 2124?
- Do you think it’s safe for us to enable TLS 1.3 and more ciphers on this port?
CA API Gateway 11.0 , 11.1
was weak ciphers on default list for 11.0
GW 11.0 had several weak ciphers in the default list, which were removed later on Gateway 11.1.
For Gateway 11.0 version do you need to add this ciphers to system.properties file, then the default Ciphersuites are set based its value.
Note : this property has to be added BEFORE gateway first start, otherwise, gateway will use its own default value.
After the listen port is created, this property will be ignored.
example used added on system.properties :
com.l7tech.server.listener.initinternodeciphers=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
you can add the following as requested (comma separated):
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256