FAQ deprecation TLS 1.2 weak ciphers
Which ciphers will be supported?
Moving on we will only be accepting connections using the TLS protocol and the following cipher suites:
|
OpenSSL Name |
IANA Name |
|---|---|
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
What are common reasons I may still be using a weak cipher?
If you are using an old version of Java (or similar), the libraries included may not support newer ciphers. To fix the issue, update the version of Java to a newer version. You need to ensure your applications are using libraries that support TLS1.2 and above. The applications need to support at least one of the strong ciphers listed.
How do I recognize an error caused by a weak cipher?
If you see an error message saying a compatible cipher cannot be negotiated, this is most likely as you only support weak ciphers. The following is an example of an error message:
SSL/TLS Handshake Failed Error. The protocol used by the client is not supported by the server. Cipher suite used by the client is not supported by the server.