Below ciphers are not allowed by apigee cloud which we are using in our org. All the below ciphers are valid TLS 1.2 ciphers as per apigee documentation.
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
I tested above ciphers using below command:
openssl s_client -connect myapi.domain.com:443 -cipher 'ECDHE-ECDSA-AES256-GCM-SHA384'
and all the above ciphers give the response saying:
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Master-Key:
Start Time: 1626694293
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Valid Tls 1.2 ciphers are as per below command:
openssl ciphers TLSv1.2
above command gave me valid Tls 1.2 ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:AES128-GCM-SHA256:AES128-SHA256:CAMELLIA128-SHA256:NULL-SHA256
An allowed cipher response is below:
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3646 bytes and written 408 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-GCM-SHA256
Session-ID: 4168F06CA1180E3971B887A5839F45DFBDE4DECBD8BDCD27728438F86534ED29
Master-Key: 1F1F06B73554E630DCDE8A682C03E23C54C088315377B150752CBB3F48E3FAB44FFE10F3C5307B9BDD11F89059C8F172
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 6f 3f bd 38 23 5c 1b 16-6d bd de 4e 00 3f 94 b3 o?.8#\..m..N.?..
0010 - 31 35 06 51 2c 05 c5 af-ba 2f 1d b5 5f 9d 56 ba 15.Q,..../.._.V.
0020 - 59 22 62 29 81 a6 d1 5b-fc 96 af 92 55 52 fb 42 Y"b)...[....UR.B
0030 - fc 69 47 c6 3e a0 da 9f-7c cd db 38 f7 6e ae 88 .iG.>...|..8.n..
0040 - b5 e6 d3 89 70 72 ac 02-62 6e c4 b6 48 56 f2 d4 ....pr..bn..HV..
0050 - f7 84 5f 25 a8 14 58 ec-1f f2 41 52 8c 38 77 60 .._%..X...AR.8w`
0060 - 74 65 3f d6 0b 32 19 30-59 b0 30 ca 09 14 76 3d te?..2.0Y.0...v=
0070 - 86 5c 48 c6 36 e3 d1 e6-7c 60 06 28 7f 9c 52 17 .\H.6...|`.(..R.
0080 - 05 5f ab 33 7f ec 58 05-24 1b 14 4e 2b d2 e8 d9 ._.3..X.$..N+...
0090 - 9a 7c 32 a4 86 d5 b0 34-81 b0 21 99 7a a4 a2 59 .|2....4..!.z..Y
00a0 - bb 11 db 6b 87 c2 40 9f-3f cd 69 29 e4 b2 45 62 ...k..@.?.i)..Eb
Start Time: 1626695818
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Please let me know if there is a solution for this issue.
This seems like an issue for Apigee support. I suggest you contact the support desk.
Please check virtual host by running management api to verify if there are any restrictions.
https://apidocs.apigee.com/docs/virtual-hosts/1/overview
https://docs.apigee.com/how-to-guides/configuring-cipher-suites-on-virtual-host-routers
Just for awarness:
Good to follow FAPI and enforcing for better security on the cipher suite. (where ever applicable).
https://openid.net/specs/openid-financial-api-part-2-1_0.html#tls-considerations
did you try to modify the property in virtualhost ?