Skip To Content

Restrict SSL protocols and cipher suites

As an ArcGIS Server administrator, you can specify which secure sockets layer (SSL) protocols and encryption algorithms ArcGIS Server uses to secure communication. For example, your organization may be required to use specific SSL protocols and encryption algorithms. Specifying that ArcGIS Server use the certified protocols and algorithms ensures that your site remains in compliance with your organization's security policies.

Default SSL protocols

By default, ArcGIS Server enables the following protocols:

  • TLSv1
  • TLSv1.1
  • TLSv1.2

Default encryption algorithms

ArcGIS Server is limited to the following encryption algorithms and enables all of them by default:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

See Cipher suites reference below for more information on these encryption algorithms.

You'll use the ArcGIS Server Administrator Directory to specify which SSL protocols and encryption algorithms your site will use.

  1. Open the ArcGIS Server Administrator Directory and sign in as an Administrator of your site. The URL is in the format https://gisserver.domain.com:6443/arcgis/admin.
  2. Click Security > Config > Update.
  3. In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma. For example: TLSv1.2, TLSv1.1.

    Note that if you're planning to disable TLSv1 from the site, you need to ensure the web server hosting the Web Adaptor is able to fully communicate over TLSv1.1 or TLSv1.2. If you're using a Java Web Adaptor, the web server hosting the Web Adaptor must be using Java 8.

  4. In the Cipher Suites text box, specify the encryption algorithms to be used. If specifying multiple algorithms, separate each algorithm with a comma. For example: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA.
  5. Click Update. An error is returned if an invalid protocol or cipher suite is specified.

Cipher suites reference

Cipher IDNameKey exchangeAuthentication algorithmEncryption algorithmBitsHashing algorithm
0x00C02FTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHERSAAES_128_GCM

128

SHA256
0x00C027TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256ECDHERSAAES_128_CBC

128

SHA256
0x00C013TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDHERSAAES_128_CBC

128

SHA
0x00C012TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAECDHERSA3DES_EDE_CBC

168

SHA
0x00009CTLS_RSA_WITH_AES_128_GCM_SHA256RSARSAAES_128_GCM

128

SHA256
0x00003CTLS_RSA_WITH_AES_128_CBC_SHA256RSARSAAES_128_CBC

128

SHA256
0x00002FTLS_RSA_WITH_AES_128_CBC_SHARSARSAAES_128_CBC

128

SHA
0x00000ATLS_RSA_WITH_3DES_EDE_CBC_SHARSARSA3DES_EDE_CBC

168

SHA

Terminology

  • ECDHE—Elliptic-Curve Diffie-Hellman
  • RSA—Rivest, Shamir, Adleman
  • AES—Advanced Encryption Standard
  • GCM—Galois/Counter Mode (A mode of operation for cryptographic block ciphers)
  • CBC—Cipher Block Chaining
  • 3DES—Triple Data Encryption Algorithm
  • SHA—Secure Hashing Algorithm