Solved: Which SSL Ciphers Supported in Apigee Edge Cloud?

Report Inappropriate Content · 06-04-2018 01:57 AM

With the recent TLS 1.0 and 1.1 retirement announcement, I would like to know what are the Cipher Suites supported in Apigee Edge Cloud that are relevant for TLS 1.2.

kurtkanaskie

Apigee Edge Cloud supports the OpenSSL cipher suite equivalents associated with TLSv1.2, which is the only allowed protocol.

See the ssl_ciphers property in the docs here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference

See the OpenSSL values here: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

Note, the OpenSSL values are on the right side of the listings, the left side are the names from the relevant specification.

If you try to set a cipher value that is invalid, you'll see:

<Error>
    <Code>messaging.config.beans.InvalidValue</Code>
    <Message>Invalid value foo for ssl_ciphers. Expected values are openssl cipher strings separated by :</Message>
    <Contexts/>
</Error>

The docs use these values as an example:

<Properties>
    <Property name="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH</Property>
</Properties>

View solution in original post

kurtkanaskie

Apigee Edge Cloud supports the OpenSSL cipher suite equivalents associated with TLSv1.2, which is the only allowed protocol.

See the ssl_ciphers property in the docs here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference

See the OpenSSL values here: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

Note, the OpenSSL values are on the right side of the listings, the left side are the names from the relevant specification.

If you try to set a cipher value that is invalid, you'll see:

<Error>
    <Code>messaging.config.beans.InvalidValue</Code>
    <Message>Invalid value foo for ssl_ciphers. Expected values are openssl cipher strings separated by :</Message>
    <Contexts/>
</Error>

The docs use these values as an example:

<Properties>
    <Property name="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH</Property>
</Properties>

Report Inappropriate Content

Thank you. So Apigee supports all the ciphersuites supported by open ssl?

kurtkanaskie

Yes, the OpenSSL values associated with TLSv1.2

Report Inappropriate Content

Thank you ! We were able to get the list by using the command.

openssl ciphers -v -tls1 | grep TLSv1.2

rmishra

If you create a virtual host without specifying a list of ciphers, you should be able to see all the ciphers supported (default list) simply by making a verbose curl call to your proxy endpoint. it would print something similar to (following is a snippet by making the call to google)

* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
*  <<Content trimmed>>
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256

Report Inappropriate Content

Thank you. With this, we are able to find what is the cipher suite which is set by default. This was helpful for us. However we wanted to know what is the list of cipher suites supported in Apigee.

rmishra

I would like to think that if you don't specify a list of ciphers, Apigee would list all supported ciphers as default (in a preferred order). There is no reason why it should filter down the supported ciphers to make a default list.

But glad you worked it out

kurtkanaskie

Update: if you want to test for TLSv1.2 you can update your Virtual Host "ssl_ciphers" property to use valid 1.2 values only (e.g. AES128-GCM-SHA256). Then connections using 1.0 or 1.1 will fail.

Through empirical analysis I've determined that there are a limited set of valid values.

This is for paid orgs deployed in Amazon regions.

AES128-GCM-SHA256
AES128-SHA256
AES256-GCM-SHA384
AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384

See this article for more details: https://community.apigee.com/articles/57728/empirical-analysis-of-valid-values-for-virtualhost.html

kimperial

@kurtkanaskie why is there not an official Apigee documentation of the ciphers that are expected to work on virtual hosts. I opened a ticket with Apigee support and they point me to this forum comment from 5 years ago.

kurtkanaskie

Good question, the docs for `ssl_ciphers` here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference#virtualhostreprese... points to https://www.openssl.org/docs/man1.0.2/apps/ciphers.html which is 404.

I'll use Send Feedback on that page to request an update / fix. You can do the same.

Hopefully the article helped in the interim.

kimperial

hi @kurtkanaskie thanks for your reply. what I mean is that i have this list of ciphers that are considered secure

"DHE-RSA-AES128-GCM-SHA256",

"DHE-RSA-AES256-GCM-SHA384",

"DHE-DSS-AES128-GCM-SHA256",

"DHE-DSS-AES256-GCM-SHA384",

"DHE-PSK-AES128-GCM-SHA256",

"DHE-PSK-AES256-GCM-SHA384",

"TLS_AES_128_GCM_SHA256",

"TLS_AES_256_GCM_SHA384",

"TLS_AES_128_CCM_SHA256",

"DHE-PSK-AES256-CCM8",

"ECDHE-ECDSA-AES128-CCM",

"ECDHE-ECDSA-AES256-CCM",

"ECDHE-ECDSA-AES128-CCM8",

"ECDHE-ECDSA-AES256-CCM8",

"ECDHE-RSA-CHACHA20-POLY1305",

"ECDHE-ECDSA-CHACHA20-POLY1305",

"DHE-RSA-CHACHA20-POLY1305",

ETC

I had to test them one by. one to find out which ones apigee virtual hosts is supporting. out of the 29, i know that right now only one of them works. if we revisit this topic 1 year from now, do i then have to test all 29 to see which ones are now working. will apigee not publish an official reference doc?

you wrote this before: https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Empirical-Analysis-of-Valid-Values-fo...

why is this not an official apigee documentation and kept updated?

API-Evangelist

Looks like the openssl url is broken but you can refer - https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

General guidance:

It dependents on company security posture. There is a comment in docs - If no ciphers are specified, then all ciphers available for the JVM will be permitted.

Even though if apigee publish n number of ciphers but what fits your organization security which matters the most. Speak to your security engineering team before enabling as you may want to avoid weaker ciphers.

We generally follow latest FAPI 1.0/2.0 standards for better security.

https://openid.net/specs/fapi-2_0-security-02.html#tls-12-ciphers

https://openid.net/specs/openid-financial-api-part-2-1_0.html (section 8.5)

kurtkanaskie

I noticed the link was broken too.

Thanks for the links, that looks like sound advice!