Cipher Suites Shipped With the Edge SWG (Proxy SG) and ASG Appliances
search cancel

Cipher Suites Shipped With the Edge SWG (Proxy SG) and ASG Appliances

book

Article ID: 170130

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The following table lists cipher suites that are shipped with the appliance for a specific version of SGOS.

For additional information, refer to the "Managing X.509 Certificates" chapter in the SGOS Administration Guide.

Notes:

The following table lists cipher suites that are provided with the appliance for a specific version of SGOS.

 

For additional information, refer to the "Managing X.509 Certificates" chapter in the SGOS Administration Guide.

Notes:

    • In the Strength column, "Export" refers to the 1990s-era cryptography export restrictions that limited key length to 40 bytes. Those restrictions are no longer in force, but the Export strength category remains in OpenSSL. These ciphers are thus supported on the appliance for historical reasons. 
    • In the ‘Shipped with Versions’ column, a specific release (such as "6.6.5.13") means that the cipher is available starting in that release.
    • Access logs record unsupported ciphers under their hex values. For example, TLS_AES_128_GCM_SHA256 is unsupported on version 6.7.x and is access-logged as “0x1301(unsupported)”.
    • In ‘Disabled by Default’:
      • Note 1: DHE ciphers are disabled by default. Use #(config ssl)proxy dhe-ciphers enable to enable.
      • Note 2: For HTTPS Management console - CBC and weak ciphers are disabled by default
                   

Resolution

Orders of the ciphers are from modern to legacy. A new column reflecting (EC)DSA/DSS available only on upstream fwd proxy connections. In addition, a column for FIPS 140-3 management plane ciphers.

Cipher Name on the Appliance

Hex Value

IANA Name

Strength

Key Size (Bits)

Shipped with Versions

Disabled by Default

Available only in forward proxy upstream connection

Allowed in FIPS 140-3 (Mgmt)

TLS_AES_256_GCM_SHA384

0x1302

TLS_AES_256_GCM_SHA384

High

256

7.2+

   

Y

TLS_AES_128_GCM_SHA256

0x1301

TLS_AES_128_GCM_SHA256 

High

128

7.2+

   

Y

TLS_CHACHA20_POLY1305_SHA256

0x1303

TLS_CHACHA20_POLY1305_SHA256

High

256

7.2+

     

TLS_AES_128_CCM_8_SHA256

0x1305

TLS_AES_128_CCM_8_SHA256 

High

128

7.2+

   

Y

TLS_AES_128_CCM_SHA256

0x1304

TLS_AES_128_CCM_SHA256 

High

128

7.2+

   

Y

ECDHE-ECDSA-AES256-GCM-SHA384

0xC02C

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

High

256

6.5.10.6+, 6.6.5.13+, 

6.7 to 7.x

 

X

 

ECDHE-ECDSA-AES128-GCM-SHA256

0xC02B

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

High

128

6.5.7.1+, 

6.6.5.13+, 6.7 to 7.x

 

X

 

ECDHE-RSA-AES256-GCM-SHA384

0xC030

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

High

256

6.5.10.6+, 6.6.5.13+, 

6.7 to 7.x

   

Y

ECDHE-RSA-AES128-GCM-SHA256

0xC02F

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

High

128

6.5.6.1+,

6.6.5.13+, 6.7 to 7.x

   

Y

ECDHE-ECDSA-AES256-SHA384

0xC024

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

High

256

6.5.10.6+, 6.6.5.13+, 

6.7 to 7.x

 

X

 

ECDHE-ECDSA-AES128-SHA256

0xC023

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

High

128

6.5.7.1 to 7.x

 

X

 

ECDHE-RSA-AES256-SHA384

0xC028

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

High

256

6.5.10.6+, 6.6.5.13+, 

6.7 to 7.x

2

 

Y

ECDHE-RSA-AES128-SHA256 

0xC027

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

High

128

6.5.6.1+,

6.6.5.13+, 6.7 to 7.x

2

 

Y

ECDHE-ECDSA-AES256-SHA

0xC00A

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

High

256

6.5.7.1 to 7.x

 

X

 

ECDHE-ECDSA-AES128-SHA  

0xC009

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

High

128

6.5.7.1 to 7.x

 

X

 

ECDHE-RSA-AES256-SHA

0xC014

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

High

256

6.5.6.1+,

6.6.5.13+, 6.7 to 7.x

2

 

Y

ECDHE-RSA-AES128-SHA 

0xC013

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

High

128

6.5.6.1+,

6.6.5.13+, 6.7 to 7.x

2

 

Y

DHE-RSA-AES256-GCM-SHA384

0x009F

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

High

256

6.5.10.6+, 6.6.5.13+,

6.7 to 7.x

1

 

Y

DHE-RSA-AES128-GCM-SHA256

0x009E

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

High

128

6.5.10.6+, 6.6.5.13+,

6.7 to 7.x

1

 

Y

DHE-DSS-AES256-GCM-SHA384

0x00A3

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

High

256

6.6.5.13 to 7.x

1

X

 

DHE-DSS-AES128-GCM-SHA256 

0x00A2

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

Medium

128

6.6.5.13 to 7.x

1

X

 

DHE-RSA-AES256-SHA

0x0039

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

High

256

6.5 to 7.x

1  

Y

DHE-RSA-AES128-SHA

0x0033

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

High

128

6.5 to 7.x

1

 

Y

DHE-DSS-AES256-SHA256

0x006A

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

High

256

6.5 to 7.x

1

X

 

DHE-DSS-AES128-SHA256

0x0040

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

Medium

128

6.5 to 7.x

1

X

 

DHE-DSS-AES256-SHA

0x0038

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

High

256

6.5 to 7.x

1

X

 

DHE-DSS-AES128-SHA 

0x0032

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Medium

128

6.5 to 7.x

1

X

 

AES256-GCM-SHA384 

0x009D

TLS_RSA_WITH_AES_256_GCM_SHA384

High

256

6.5.10.6+, 6.6.5.13+,
6.7 to to 7.x

     

AES128-GCM-SHA256 

0x009C

TLS_RSA_WITH_AES_128_GCM_SHA256

High

128

6.7 to 7.x

     

AES256-SHA256

0x003D

TLS_RSA_WITH_AES_256_CBC_SHA256

High

256

6.6 to 7.x

2

   

AES128-SHA256

0x003C

TLS_RSA_WITH_AES_128_CBC_SHA256

High

128

6.5 to 7.x

2

   

AES256-SHA

0x0035

TLS_RSA_WITH_AES_256_CBC_SHA

High

256

6.5 to 7.x

2

   

AES128-SHA

0x002F

TLS_RSA_WITH_AES_128_CBC_SHA

Medium

128

6.5 to 7.x

2

   

ECDHE-ECDSA-RC4-SHA 

0xC007

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

High

128

6.5.7.1 to 7.x

 

X

 

ECDHE-RSA-RC4-SHA

0xC011

TLS_ECDHE_RSA_WITH_RC4_128_SHA

High

128

6.5.6.1+,

6.6.5.13+, 6.7 to 7.x

2

   

DHE-DSS-DES-CBC3-SHA 

0x0013

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Medium

168

6.5 to 7.1

1

X

 

DES-CBC3-SHA

0x000A

TLS_RSA_WITH_3DES_EDE_CBC_SHA

High

168

6.5 to 7.x

2

   

RC4-SHA 

0x0005

TLS_RSA_WITH_RC4_128_SHA

Medium

128

6.5 to 7.x

2

   

RC4-MD5

0x0004

TLS_RSA_WITH_RC4_128_MD5

Medium

128

6.5 to 7.x

2

   

DES-CBC-SHA

0x0009

TLS_RSA_WITH_DES_CBC_SHA

Low

56

6.5 to 7.1

2

   

EXP-DES-CBC-SHA

0x0008

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

Export

40

6.5 to 7.1

2

   

EXP-RC4-MD5

0x0003

TLS_RSA_EXPORT_WITH_RC4_40_MD5

Export

40

6.5 to 7.1

2

   

EXP-RC2-CBC-MD5

0x0006

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

Export

40

6.5 to 7.1

2

   

DHE-DSS-DES-CBC-SHA

0x0012

TLS_DHE_DSS_WITH_DES_CBC_SHA

Low

56

6.5 to 7.1

1

X

 

EXP-DHE-DSS-DES-CBC-SHA

0x0011

TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Export

40

6.5 to 7.1

1

X