With the recent TLS 1.0 and 1.1 retirement announcement, I would like to know what are the Cipher Suites supported in Apigee Edge Cloud that are relevant for TLS 1.2.
Solved! Go to Solution.
Apigee Edge Cloud supports the OpenSSL cipher suite equivalents associated with TLSv1.2, which is the only allowed protocol.
See the ssl_ciphers property in the docs here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference
See the OpenSSL values here: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
Note, the OpenSSL values are on the right side of the listings, the left side are the names from the relevant specification.
If you try to set a cipher value that is invalid, you'll see:
<Error> <Code>messaging.config.beans.InvalidValue</Code> <Message>Invalid value foo for ssl_ciphers. Expected values are openssl cipher strings separated by :</Message> <Contexts/> </Error>
The docs use these values as an example:
<Properties> <Property name="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH</Property> </Properties>
Apigee Edge Cloud supports the OpenSSL cipher suite equivalents associated with TLSv1.2, which is the only allowed protocol.
See the ssl_ciphers property in the docs here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference
See the OpenSSL values here: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
Note, the OpenSSL values are on the right side of the listings, the left side are the names from the relevant specification.
If you try to set a cipher value that is invalid, you'll see:
<Error> <Code>messaging.config.beans.InvalidValue</Code> <Message>Invalid value foo for ssl_ciphers. Expected values are openssl cipher strings separated by :</Message> <Contexts/> </Error>
The docs use these values as an example:
<Properties> <Property name="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH</Property> </Properties>
Thank you. So Apigee supports all the ciphersuites supported by open ssl?
Yes, the OpenSSL values associated with TLSv1.2
Thank you ! We were able to get the list by using the command.
openssl ciphers -v -tls1 | grep TLSv1.2
If you create a virtual host without specifying a list of ciphers, you should be able to see all the ciphers supported (default list) simply by making a verbose curl call to your proxy endpoint. it would print something similar to (following is a snippet by making the call to google)
* ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * <<Content trimmed>> * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
Thank you. With this, we are able to find what is the cipher suite which is set by default. This was helpful for us. However we wanted to know what is the list of cipher suites supported in Apigee.
I would like to think that if you don't specify a list of ciphers, Apigee would list all supported ciphers as default (in a preferred order). There is no reason why it should filter down the supported ciphers to make a default list.
But glad you worked it out
Update: if you want to test for TLSv1.2 you can update your Virtual Host "ssl_ciphers" property to use valid 1.2 values only (e.g. AES128-GCM-SHA256). Then connections using 1.0 or 1.1 will fail.
Through empirical analysis I've determined that there are a limited set of valid values.
This is for paid orgs deployed in Amazon regions.
AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384
See this article for more details: https://community.apigee.com/articles/57728/empirical-analysis-of-valid-values-for-virtualhost.html
@kurtkanaskie why is there not an official Apigee documentation of the ciphers that are expected to work on virtual hosts. I opened a ticket with Apigee support and they point me to this forum comment from 5 years ago.
Good question, the docs for `ssl_ciphers` here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference#virtualhostreprese... points to https://www.openssl.org/docs/man1.0.2/apps/ciphers.html which is 404.
I'll use Send Feedback on that page to request an update / fix. You can do the same.
Hopefully the article helped in the interim.
hi @kurtkanaskie thanks for your reply. what I mean is that i have this list of ciphers that are considered secure
Looks like the openssl url is broken but you can refer - https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
General guidance:
It dependents on company security posture. There is a comment in docs - If no ciphers are specified, then all ciphers available for the JVM will be permitted.
Even though if apigee publish n number of ciphers but what fits your organization security which matters the most. Speak to your security engineering team before enabling as you may want to avoid weaker ciphers.
We generally follow latest FAPI 1.0/2.0 standards for better security.
https://openid.net/specs/fapi-2_0-security-02.html#tls-12-ciphers
https://openid.net/specs/openid-financial-api-part-2-1_0.html (section 8.5)
I noticed the link was broken too.
Thanks for the links, that looks like sound advice!
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |