IBM Cloud Docs
Setting up cipher suites

Setting up cipher suites

Cipher suites are a combination of algorithms and protocols that help to secure network connections during the TLS handshake. IBM Cloud® Internet Services secures network connections by using edge and origin cipher suites.

Edge cipher suites

The following ciphers are supported at the cloud edge. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

Edge cipher suites
OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 IANA name
ECDHE-ECDSA-AES128-GCM-SHA256 Available TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-CHACHA20-POLY1305 Available TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES128-GCM-SHA256 Available TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-CHACHA20-POLY1305 Available TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-SHA256 Available TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE-ECDSA-AES128-SHA Available Available Available TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES128-SHA256 Available TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE-RSA-AES128-SHA Available Available Available TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
AES128-GCM-SHA256 Available TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA256 Available TLS_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA Available Available Available TLS_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384 Available TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-AES256-SHA384 Available TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-GCM-SHA384 Available TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-SHA384 Available TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-SHA Available Available Available TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES256-GCM-SHA384 Available TLS_RSA_WITH_AES_256_GCM_SHA384
AES256-SHA256 Available TLS_RSA_WITH_AES_256_CBC_SHA256
AES256-SHA Available Available Available TLS_RSA_WITH_AES_256_CBC_SHA
DES-CBC3-SHA Available TLS_RSA_WITH_3DES_EDE_CBC_SHA
AEAD-AES128-GCM-SHA256 Available TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384 Available TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256 Available TLS_CHACHA20_POLY1305_SHA256

Origin cipher suites

The following ciphers are supported at the origin. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

Origin cipher suites
OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 IANA name
AEAD-AES128-GCM-SHA256 [1] Available TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384 [2] Available TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256 [3] Available TLS_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 Available TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256 Available TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-SHA Available Available Available TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
AES128-GCM-SHA256 Available TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA Available Available Available TLS_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384 Available TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-SHA384 Available TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
AES256-SHA Available Available Available TLS_RSA_WITH_AES_256_CBC_SHA
DES-CBC3-SHA Available TLS_RSA_WITH_3DES_EDE_CBC_SHA

Managing cipher suites from the CLI

You can manage cipher suites from the CLI.

Getting the cipher suites from the CLI

To list the cipher variable, run the following command:

ibmcloud cis domain-settings DNS_DOMAIN_ID [-g, --group GROUP | -f, --feature FEATURE] [-i, --instance INSTANCE] [--output FORMAT]

Command options

DNS_DOMAIN_ID
The ID of the DNS domain. This option is required.
-f, --feature
Specifies the domain setting feature to check. This option is mutually exclusive with -g, --group. Set this option to the following variable:
  • ciphers: Defines an allowlist of TLS cipher suites for edge TLS termination, using the BoringSSL cipher format. This command lists only cipher suites that customers have explicitly allowlisted. If no cipher suites are allowlisted, the command returns an empty list and uses the default cipher suites. For the list of default cipher suites, see Edge cipher suites.
Example

Get ciphers settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings -f "ciphers" 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

For more information, see ibmcloud cis domain-settings.

Updating the cipher suites from the CLI

To update the cipher variable, run the following command:

ibmcloud cis domain-settings-update DNS_DOMAIN_ID (-f, --feature FEATURE) (-v, --value VALUE) [-i, --instance INSTANCE] [--output FORMAT]

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. This option is required.

-f, --feature

Feature of domain settings to update. This option is required. Valid cipher value is:

  • ciphers : An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format.
-v, --value

Specifies the value to set for the feature on the domain. This option is required.

  • Valid values for tls_client_auth are on and off.
  • Valid values for ciphers are:
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-CHACHA20-POLY1305
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-CHACHA20-POLY1305
    • ECDHE-ECDSA-AES128-SHA256
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-RSA-AES128-SHA256
    • ECDHE-RSA-AES128-SHA
    • AES128-GCM-SHA256
    • AES128-SHA256
    • AES128-SHA
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-SHA384
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA384
    • ECDHE-RSA-AES256-SHA
    • AES256-GCM-SHA384
    • AES256-SHA256
    • AES256-SHA
    • DES-CBC3-SHA
    • default

For example, use -v default to reset the specific configured cipher suites like -v AES256-SHA256,AES256-SHA, to the default value.

Example

Enable tls_client_auth for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings-update -f tls_client_auth -v on 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

For more information, see ibmcloud cis domain-settings-update.

To revert to the default cipher list, specify -v default after -f ciphers.

Managing cipher suites with the API

You can manage cipher suites with the API.

Getting ciphers with the API

To get ciphers with the API, take the following steps.

  1. Set up your environment with the right variables.
  2. Store any variables to be used in the API commands. For example,
    • crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
    • zone_identifier (string): The zone identifier.
  3. When all variables are initiated, get the ciphers:
curl -X GET https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'accept: application/json' -H 'x-auth-user-token: Bearer xxxxxx'

Updating ciphers with the API

To update ciphers with the API, take the following steps.

  1. Set up your environment with the right variables.
  2. Store any variables to be used in the API commands. For example,
    • crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
    • zone_identifier (string): The zone identifier.
    • value(string): The cipher suites that you want to include.
  3. When all variables are initiated, get the ciphers:
curl -X PATCH https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'x-auth-user-token: Bearer xxxxxx' -d '{"value": ["AES256-GCM-SHA384", "AES256-SHA256"]}'

  1. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎

  2. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎

  3. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎