As an organization administrator, you can specify the Transport Layer Security (TLS) protocols and encryption algorithms that the portal's internal web server uses to secure communication. Your organization may be required to use specific TLS protocols and encryption algorithms. Specifying that the portal use the certified protocols and algorithms ensures that your portal remains in compliance with your organization's security policies.
Default TLS protocols
By default, the portal is configured to use the TLSv1.3 and TLSv1.2 protocols. You can also enable TLSv1 and TLSv1.1 protocols using the steps below.
Use default encryption algorithms
The portal is configured by default to use the following encryption algorithms in the order listed below:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_AES_256_GCM_SHA384 (TLSv1.3 only)
- TLS_AES_128_GCM_SHA256 (TLSv1.3 only)
For security reasons, several encryption algorithms that were enabled by default in previous versions have been disabled. These can be reenabled if needed for older clients. See Cipher suites reference below for the full list of supported algorithms.
Use the Portal Administrator Directory to specify the TLS protocols and encryption algorithms the portal will use.
- Open the Portal Administrator Directory and sign in as an administrator of your organization.
The URL is in the format https://webadaptorhost.example.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Update.
- In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma, for example, TLSv1.2, TLSv1.1.
Note:
Ensure that the web server hosting your Web Adaptor is configured to use the protocols you're enabling.
- In the Cipher Suites text box, specify the cipher suites to be used in IANA format. Separate each algorithm with a comma, for example, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA.
- Click Update.
An error is returned if an invalid protocol or cipher suite is specified.
Cipher suites reference
The portal supports the following algorithms:
| Cipher ID | Name (IANA format) | Name (OpenSSL format) | Key exchange | Authentication algorithm | Encryption algorithm | Bits | Hashing algorithm |
|---|---|---|---|---|---|---|---|
| 0xC030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | ECDH | RSA | AES_256_GCM | 256 | SHA384 |
| 0xC028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ECDHE-RSA-AES256-SHA384 | ECDH | RSA | AES_256_CBC | 256 | SHA384 |
| 0xC014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE-RSA-AES256-SHA | ECDH | RSA | AES_256_CBC | 256 | SHA |
| 0x009F | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | DHE-RSA-AES256-GCM-SHA384 | DH | RSA | AES_256_GCM | 256 | SHA384 |
| 0x006B | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | DHE-RSA-AES256-SHA256 | DH | RSA | AES_256_CBC | 256 | SHA256 |
| 0x0039 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | DHE-RSA-AES256-SHA | DH | RSA | AES_256_CBC | 256 | SHA |
| 0x009D | TLS_RSA_WITH_AES_256_GCM_SHA384 | AES256-GCM-SHA384 | RSA | RSA | AES_256_GCM | 256 | SHA384 |
| 0x003D | TLS_RSA_WITH_AES_256_CBC_SHA256 | AES256-SHA256 | RSA | RSA | AES_256_CBC | 256 | SHA256 |
| 0x0035 | TLS_RSA_WITH_AES_256_CBC_SHA | AES256-SHA | RSA | RSA | AES_256_CBC | 256 | SHA |
| 0xC02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | ECDH | RSA | AES_128_GCM | 128 | SHA256 |
| 0xC027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE-RSA-AES128-SHA256 | ECDH | RSA | AES_128_CBC | 128 | SHA256 |
| 0xC013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE-RSA-AES128-SHA | ECDH | RSA | AES_128_CBC | 128 | SHA |
| 0x009E | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | DHE-RSA-AES128-GCM-SHA256 | DH | RSA | AES_128_GCM | 128 | SHA256 |
| 0x0067 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | DHE-RSA-AES128-SHA256 | DH | RSA | AES_128_CBC | 128 | SHA256 |
| 0x0033 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | DHE-RSA-AES128-SHA | DH | RSA | AES_128_CBC | 128 | SHA |
| 0x009C | TLS_RSA_WITH_AES_128_GCM_SHA256 | AES128-GCM-SHA256 | RSA | RSA | AES_128_GCM | 128 | SHA256 |
| 0x003C | TLS_RSA_WITH_AES_128_CBC_SHA256 | AES128-SHA256 | RSA | RSA | AES_128_CBC | 128 | SHA256 |
| 0x002F | TLS_RSA_WITH_AES_128_CBC_SHA | AES128-SHA | RSA | RSA | AES_128_CBC | 128 | SHA |
| 0xC012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ECDHE-RSA-DES-CBC3-SHA | ECDH | RSA | 3DES_EDE_CBC | 168 | SHA |
| 0x0016 | SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | EDH-RSA-DES-CBC3-SHA | DH | RSA | 3DES_EDE_CBC | 168 | SHA |
| 0x000A | SSL_RSA_WITH_3DES_EDE_CBC_SHA | DES-CBC3-SHA | RSA | RSA | 3DES_EDE_CBC | 168 | SHA |
| 0xC02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDHE-ECDSA-AES256-GCM-SHA384 | ECDH | ECDSA | AES_256_GCM | 256 | SHA384 |
| 0xC024 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ECDHE-ECDSA-AES256-SHA384 | ECDH | ECDSA | AES_256_CBC | 256 | SHA384 |
| 0xC00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDHE-ECDSA-AES256-SHA | ECDH | ECDSA | AES_256_CBC | 256 | SHA |
| 0xC02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDHE-ECDSA-AES128-GCM-SHA256 | ECDH | ECDSA | AES_128_GCM | 128 | SHA256 |
| 0xC023 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDHE-ECDSA-AES128-SHA256 | ECDH | ECDSA | AES_128_CBC | 128 | SHA256 |
| 0xC009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDHE-ECDSA-AES128-SHA | ECDH | ECDSA | AES_128_CBC | 128 | SHA |
| 0xC008 | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | ECDHE-ECDSA-DES-CBC3-SHA | ECDH | ECDSA | 3DES_EDE_CBC | 168 | SHA |
| 0xCCA8 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-RSA-CHACHA20-POLY1305 | ECDH | RSA | CHACHA20 POLY1305 | 256 | SHA256 |
| 0xCCA9 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-ECDSA-CHACHA20-POLY1305 | ECDH | ECDSA | CHACHA20 POLY1305 | 256 | SHA256 |
| 0x1301 | TLS_AES_128_GCM_SHA256 (TLSv1.3 only) | TLS_AES_128_GCM_SHA256 | - | - | AES_128_GCM | 128 | SHA256 |
| 0x1302 | TLS_AES_256_GCM_SHA384 (TLSv1.3 only) | TLS_AES_256_GCM_SHA384 | - | - | AES_256_GCM | 256 | SHA384 |
| 0x1303 | TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3 only) | TLS_CHACHA20_POLY1305_SHA256 | - | - | CHACHA20 POLY1305 | 256 | SHA256 |
Terminology
The following terms are used in the table above:
- ECDH—Elliptic-Curve Diffie-Hellman
- DH—Diffie-Hellman
- RSA—Rivest, Shamir, Adleman
- ECDSA— Elliptic Curve Digital Signature Algorithm
- AES—Advanced Encryption Standard
- GCM—Galois/Counter Mode, a mode of operation for cryptographic block ciphers
- CBC—Cipher Block Chaining
- 3DES—Triple Data Encryption Algorithm
- SHA—Secure Hashing Algorithm
- CHACHA20—ChaCha stream cipher
- POLY1305—Poly1305 authenticator