Selecting Ciphers for DLP
Article ID: 219871
Updated On:
Products
Issue/Introduction
Issue: You need to find a cipher suite to use with the latest version of DLP.
Environment
All
Cause
n/a
Resolution
When selecting a Cipher Suite to use with DLP, there are 3-4 main areas that we need to be concerned with, and finding a cipher suite that works across all of these areas is the goal...
Primary:
- Java
- OpenSSL
- TLS
Optional:
- FIPS
A specific cipher will only work between the DLP servers if:
- it is supported by the TLS version used by the specific DLP version
- it is supported by the OS on both Enforce and the detection server
- it is supported by the JRE version on both Enforce and the detection server
- it is supported by the certificates used by the servers
There are also other factors such as JRE security updates, FIPS requirements, or OS-level and network-level security hardening, which may restrict the use of some ciphers even if they are listed out in the output of ciphers.bat.
NOTE:
For all DLP versions, the self-signed certificates generated for the servers use the RSA authentication algorithm. This means that ciphers that do not use RSA but use different authentication algorithms, such as ECDSA, will not work between the servers, even though they are listed out in the output of ciphers.bat. When you configure the cipher on both servers and recycle the DLP services, the detection server rejects the cipher with a message "no cipher suites in common" in the server logs. The reason is that the certificate used by the detection server doesn't support that cipher or any other ciphers that use an authentication algorithm which is not RSA.
An example cipher which won't work with the certificates generated by DLP for the servers is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
Some cipher suites will support multiple authentication types, for example, TLS_AES_256_GCM_SHA384 (part of TLS 1.3) will use any authentication type, including RSA.
Starting in DLP 16.1, there's a possibility to generate custom certificates for the usage between servers and these certificates can now use other authentication algorithms such as ECDSA.
This feature is documented here:
This functionality provides an opportunity to generate CA-signed certificates that may use other technologies, i.e. the ECDSA authentication algorithm. With such certificates configured on the servers, they will be able to use a cipher that uses the specific algorithms which wouldn't work with the self-signed certificates.
The feature is only available for DLP 16.1. Earlier versions of DLP will only support RSA-capable ciphers between servers.
<<Java v1.8.0_262>>
To find the list of supported Cipher Suites for Java, you simply need to run the following batch file from the "\tomcat\bin" directory...
Command: ciphers.bat
In this case I am using DLP 15.8 with AdoptOpenJRE 1.8.0_262, which returns the following list...
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
<<OpenSSL v1.1.1>>
To find the OpenSSL Cipher Suites, you will first need to download OpenSSL.
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
Next, you will need to run the following command to display all OpenSSL Cipher Suites...
openssl ciphers -v 'ALL:eNULL'
In this case we are using OpenSSL v1.1.1 which will return the following list of Cipher Suites...
| TLS_AES_256_GCM_SHA384 |
| TLS_CHACHA20_POLY1305_SHA256 |
| TLS_AES_128_GCM_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_CHACHA20_POLY1305 |
| TLS_ECDHE_RSA_CHACHA20_POLY1305 |
| TLS_DHE_RSA_CHACHA20_POLY1305 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_SHA |
| TLS_DHE_RSA_WITH_AES_256_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_SHA |
| TLS_DHE_RSA_WITH_AES_128_SHA |
| TLS_RSA_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_PSK_CHACHA20_POLY1305 |
| TLS_DHE_PSK_CHACHA20_POLY1305 |
| TLS_ECDHE_PSK_CHACHA20_POLY1305 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_PSK_CHACHA20_POLY1305 |
| TLS_RSA_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_AES_256_SHA256 |
| TLS_AES_128_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_SRP_RSA_WITH_AES_256_CBC_SHA |
| TLS_SRP_AES_256_CBC_SHA |
| TLS_RSA_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_RSA_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_AES_256_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_SRP_RSA_WITH_AES_128_CBC_SHA |
| TLS_SRP_AES_128_CBC_SHA |
| TLS_RSA_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_AES_128_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA |
<<TLS v1.2>>
For TLS, we can find the list of supported Cipher Suites from the URL below...
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
Below is the list for TLS v1.2...
| TLS_RSA_WITH_NULL_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256 |
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 |
| TLS_DH_anon_WITH_AES_256_CBC_SHA256 |
| TLS_DH_anon_WITH_AES_128_GCM_SHA256 |
| TLS_DH_anon_WITH_AES_256_GCM_SHA384 |
<<Common Ciphers>>
The next thing we want to do is compare all 3 of the above lists, to find common Cipher Suites, and these would be the Cipher Suites we would look at for DLP 15.8 with TLS v1.2. In this case we see the below common Cipher Suites across all 3 lists...
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
<<FIPS v140_2>>
For FIPS we look at a similar process, we take the list of available FIPS cipher and compare that to the Java and OpenSSL list to find common Cipher Suites. You can get the list of FIPS Cipher Suites from the link below...
https://docs.informatica.com/data-integration/powerexchange-for-cdc-and-mainframe/10-0/reference-manual/secure-sockets-layer-support/fips-140-2-compliance/fips-140-2-compliant-cipher-suites.html
Below you will find the FIPS 140_2 list...
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA |
<<FIPS Common Ciphers>>
Here you will see a much smaller list of common ciphers that should work for customers using DLP 15.8 and FIPS 140_2...
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
Additional Information
DLP 15.8 Cipher Suites:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA |
DLP 15.8 with FIPS v140_2 Cipher Suites:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
Feedback
