Skip To Content

Restrict TLS protocols and cipher suites

As an ArcGIS Server administrator, you can specify the Transport Layer Security (TLS) protocols and encryption algorithms ArcGIS Server uses to secure communication. Your organization may be required to use specific TLS protocols and encryption algorithms, or the web server on which you deploy ArcGIS Server may only allow certain protocols and algorithms. Specifying that ArcGIS Server use the certified protocols and algorithms ensures that your site remains in compliance with your organization's security policies.

Following the POODLE vulnerability exposed in 2014, ArcGIS Server dropped support for Secure Sockets Layer (SSL) protocols at 10.3 and later, but you will still see SSL used in the software to refer to TLS protocols.

TLS protocols

By default, ArcGIS Server only uses the TLSv1.3 and TLSv1.2 protocols. You can also enable TLSv1 and TLSv1.1 protocols using the steps below.

Default encryption algorithms

ArcGIS Server is configured by default to use the following encryption algorithms in the order listed below:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_AES_256_GCM_SHA384 (TLSv1.3 only)
  • TLS_AES_128_GCM_SHA256 (TLSv1.3 only)

For security reasons, several encryption algorithms that were enabled by default in previous versions have been disabled. These can be reenabled if needed for older clients. See Cipher suites reference below for the full list of supported algorithms.

Use the ArcGIS Server Administrator Directory to specify the TLS protocols and encryption algorithms your site will use.

  1. Open the ArcGIS Server Administrator Directory and sign in as an administrator of your site.

    The URL is in the format https://gisserver.domain.com:6443/arcgis/admin.

  2. Click Security > Config > Update.
  3. In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma, for example, TLSv1.2, TLSv1.1.
    Note:

    Ensure that the web server hosting your Web Adaptor can fully communicate over the protocols you are enabling. If you're using a Java Web Adaptor, the web server hosting the Web Adaptor must use Java 8 or later.

  4. In the Cipher Suites text box, specify the encryption algorithms to be used. If specifying multiple algorithms, separate each algorithm with a comma, for example, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA.
  5. Click Update.

    An error is returned if an invalid protocol or cipher suite is specified.

Cipher suites reference

ArcGIS Server supports the following algorithms:

Cipher IDNameKey exchangeAuthentication algorithmEncryption algorithmBitsHashing algorithm
0x00C030TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHRSAAES_256_GCM256SHA384
0x00C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384ECDHRSA AES_256_CBC256 SHA384
0x00C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHRSA AES_256_CBC256SHA
0x00009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHRSA AES_256_GCM256 SHA384
0x00006B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256DHRSA AES_256_CBC256 SHA256
0x000039 TLS_DHE_RSA_WITH_AES_256_CBC_SHADHRSA AES_256_CBC256SHA
0x00009D TLS_RSA_WITH_AES_256_GCM_SHA384RSARSA AES_256_GCM256 SHA384
0x00003D TLS_RSA_WITH_AES_256_CBC_SHA256RSARSA AES_256_CBC256SHA256
0x000035 TLS_RSA_WITH_AES_256_CBC_SHARSARSA AES_256_CBC256SHA
0x00C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHRSA AES_128_GCM128SHA256
0x00C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHRSA AES_128_CBC128SHA256
0x00C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDHRSA AES_128_CBC128SHA
0x00009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256DHRSA AES_128_GCM128SHA256
0x000067 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256DHRSA AES_128_CBC128SHA256
0x000033 TLS_DHE_RSA_WITH_AES_128_CBC_SHADHRSA AES_128_CBC128SHA
0x00009C TLS_RSA_WITH_AES_128_GCM_SHA256RSARSA AES_128_GCM128SHA256
0x00003C TLS_RSA_WITH_AES_128_CBC_SHA256RSARSA AES_128_CBC128SHA256
0x00002F TLS_RSA_WITH_AES_128_CBC_SHARSARSA AES_128_CBC128SHA
0x00C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHRSA 3DES_EDE_CBC168SHA
0x000016 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHADHRSA 3DES_EDE_CBC168SHA
0x00000A SSL_RSA_WITH_3DES_EDE_CBC_SHARSARSA 3DES_EDE_CBC168SHA
0x00C02CTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384ECDHECDSAAES_256_GCM256SHA384
0x00C024TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384ECDHECDSAAES_256_CBC256SHA384
0x00C00ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAECDHECDSAAES_256_CBC256SHA
0x00C02BTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256ECDHECDSAAES_128_GCM128SHA256
0x00C023TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256ECDHECDSAAES_128_CBC128SHA256
0x00C009TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAECDHECDSAAES_128_CBC128SHA
0x00C008TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAECDHECDSA3DES_EDE_CBC168SHA
0x1302 TLS_AES_256_GCM_SHA384-- AES_256_GCM256SHA384
0x1301 TLS_AES_128_GCM_SHA256-- AES_128_GCM128SHA256

Terminology

The following terms are used in the table above:

  • ECDH—Elliptic-Curve Diffie-Hellman
  • DH—Diffie-Hellman
  • RSA—Rivest, Shamir, Adleman
  • ECDSA— Elliptic Curve Digital Signature Algorithm
  • AES—Advanced Encryption Standard
  • GCM—Galois/Counter Mode, a mode of operation for cryptographic block ciphers
  • CBC—Cipher Block Chaining
  • 3DES—Triple Data Encryption Algorithm
  • SHA—Secure Hashing Algorithm