For nginx routers, Apigee does not impose any limit. Ciphers are only limited by the openssl version and ssl certificate/key type that customer provides on their servers. To find the list of ciphers supported in the latest three openssl versions, please reference
For message processors, we use openjdk 1.7 in 4.16.01, and use openjdk 1.8 in 4.16.05 and beyond, based on the oracle java documentation link at http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html. Message Processors also do not impose any limit on cipher support.
For instance, a private cloud customer was inquiring about the support of below 5 GCM ciphers on both Nginx routers and MPs:
TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
If their openssl library on RT node uses 1.0.1, then it seems only two ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
are supported with TLS 1.2 by default:
If their openssl library on RT node uses 1.0.2 and beyond, then it seems 4 out of the 5 GCM ciphers are supported with TLS 1.2 by default:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
For MPs, based on the oracle java doc at http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html, none of the 5 ciphers were supported in Java 7 by default.
4 out of the 5 ciphers are supported in Java 8 by default:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
To get at least one of the 5 GCM ciphers support, the customer needs to ensure their private cloud version runs at 4.16.05 or later.