Private Cloud (OPDK) 16.x TLS cipher support on routers and MPs

1 0 306

For nginx routers, Apigee does not impose any limit. Ciphers are only limited by the openssl version and ssl certificate/key type that customer provides on their servers. To find the list of ciphers supported in the latest three openssl versions, please reference

openssl version 1.0.1

openssl version 1.0.2

openssl version 1.1.0

For message processors, we use openjdk 1.7 in 4.16.01, and use openjdk 1.8 in 4.16.05 and beyond, based on the oracle java documentation link at http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html. Message Processors also do not impose any limit on cipher support.

For instance, a private cloud customer was inquiring about the support of below 5 GCM ciphers on both Nginx routers and MPs:

TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

If their openssl library on RT node uses 1.0.1, then it seems only two ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

are supported with TLS 1.2 by default:

If their openssl library on RT node uses 1.0.2 and beyond, then it seems 4 out of the 5 GCM ciphers are supported with TLS 1.2 by default:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

For MPs, based on the oracle java doc at http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html, none of the 5 ciphers were supported in Java 7 by default.

4 out of the 5 ciphers are supported in Java 8 by default:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

To get at least one of the 5 GCM ciphers support, the customer needs to ensure their private cloud version runs at 4.16.05 or later.

Version history
Last update:
‎03-27-2017 01:17 PM
Updated by: