Fortinet white logo
Fortinet white logo

Administration Guide

Supported cipher suites - for connection between FortiWeb and back-end servers

Supported cipher suites - for connection between FortiWeb and back-end servers
High SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1

AES_256_GCM_SHA384

Yes

CHACHA20_POLY1305_SHA256

Yes

AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_AES_256_GCM_SHA384

Yes

DHE_DSS_WITH_AES_256_GCM_SHA384

Yes

DHE_RSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_256_CCM

Yes

DHE_RSA_WITH_AES_256_CCM_8

Yes

DHE_RSA_WITH_AES_256_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

DHE_DSS_WITH_ARIA_256_GCM_SHA384

Yes

DHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_AES_128_GCM_SHA256

Yes

DHE_DSS_WITH_AES_128_GCM_SHA256

Yes

DHE_RSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_128_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_128_CCM

Yes

DHE_RSA_WITH_AES_128_CCM_8

Yes

DHE_RSA_WITH_AES_128_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

DHE_DSS_WITH_ARIA_128_GCM_SHA256

Yes

DHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA384

Yes

DHE_RSA_WITH_AES_256_CBC_SHA256

Yes

DHE_DSS_WITH_AES_256_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_DSS_WITH_AES_128_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_128_CBC_SHA

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

RSA_WITH_AES_256_GCM_SHA384

Yes

RSA_WITH_AES_256_CCM_8

Yes

RSA_WITH_AES_256_CCM

Yes

RSA_WITH_ARIA_256_GCM_SHA384

Yes

RSA_WITH_AES_128_GCM_SHA256

Yes

RSA_WITH_AES_128_CCM_8

Yes

RSA_WITH_AES_128_CCM

Yes

RSA_WITH_ARIA_128_GCM_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

RSA_WITH_AES_128_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

RSA_WITH_AES_128_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

Medium SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1

AES_256_GCM_SHA384

Yes

CHACHA20_POLY1305_SHA256

Yes

AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_AES_256_GCM_SHA384

Yes

DHE_DSS_WITH_AES_256_GCM_SHA384

Yes

DHE_RSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_256_CCM

Yes

DHE_RSA_WITH_AES_256_CCM_8

Yes

DHE_RSA_WITH_AES_256_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

DHE_DSS_WITH_ARIA_256_GCM_SHA384

Yes

DHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_AES_128_GCM_SHA256

Yes

DHE_DSS_WITH_AES_128_GCM_SHA256

Yes

DHE_RSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_128_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_128_CCM

Yes

DHE_RSA_WITH_AES_128_CCM_8

Yes

DHE_RSA_WITH_AES_128_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

DHE_DSS_WITH_ARIA_128_GCM_SHA256

Yes

DHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA384

Yes

DHE_RSA_WITH_AES_256_CBC_SHA256

Yes

DHE_DSS_WITH_AES_256_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_DSS_WITH_AES_128_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_128_CBC_SHA

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

RSA_WITH_AES_256_GCM_SHA384

Yes

RSA_WITH_AES_256_CCM_8

Yes

RSA_WITH_AES_256_CCM

Yes

RSA_WITH_ARIA_256_GCM_SHA384

Yes

RSA_WITH_AES_128_GCM_SHA256

Yes

RSA_WITH_AES_128_CCM_8

Yes

RSA_WITH_AES_128_CCM

Yes

RSA_WITH_ARIA_128_GCM_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

RSA_WITH_AES_128_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

RSA_WITH_AES_128_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

DHE_RSA_WITH_SEED_CBC_SHA

Yes

Yes

DHE_DSS_WITH_SEED_CBC_SHA

Yes

Yes

ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

DHE_RSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

DHE_DSS_WITH_3DES_EDE_CBC_SHA

Yes

Yes

RSA_WITH_SEED_CBC_SHA

Yes

Yes

RSA_WITH_IDEA_CBC_SHA

Yes

Yes

RSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

Note: All the medium level ciphers are also supported by the high encryption level, except for those ciphers highlighted in red.

Generally speaking, for security reasons, SHA-1 is preferable, although you may not be able to use it for client compatibility reasons. Avoid using:

  • Older hash algorithms, such as MD5. To disable MD5, for SSL/TLS encryption level, select High.
  • Encryption bit strengths less than 128
  • Older styles of renegotiation (These are vulnerable to Man-in-the-Middle (MITM) attacks.)
  • Client-initiated renegotiation. Configure Configuring an HTTP server policy.
Customized-only SSL/TLS encryption levels

The ciphers in the customized level can be viewed in the GUI, so we won't be listing them in this guide.

All the customized ciphers are included in the high and medium level cipher table listed above, with the exception of the ciphers mentioned in the table below.

Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1

TLS_AES_128_CCM_SHA256

Yes

TLS_AES_128_CCM_8_SHA256

Yes

Supported cipher suites - for connection between FortiWeb and back-end servers

Supported cipher suites - for connection between FortiWeb and back-end servers
High SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1

AES_256_GCM_SHA384

Yes

CHACHA20_POLY1305_SHA256

Yes

AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_AES_256_GCM_SHA384

Yes

DHE_DSS_WITH_AES_256_GCM_SHA384

Yes

DHE_RSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_256_CCM

Yes

DHE_RSA_WITH_AES_256_CCM_8

Yes

DHE_RSA_WITH_AES_256_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

DHE_DSS_WITH_ARIA_256_GCM_SHA384

Yes

DHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_AES_128_GCM_SHA256

Yes

DHE_DSS_WITH_AES_128_GCM_SHA256

Yes

DHE_RSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_128_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_128_CCM

Yes

DHE_RSA_WITH_AES_128_CCM_8

Yes

DHE_RSA_WITH_AES_128_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

DHE_DSS_WITH_ARIA_128_GCM_SHA256

Yes

DHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA384

Yes

DHE_RSA_WITH_AES_256_CBC_SHA256

Yes

DHE_DSS_WITH_AES_256_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_DSS_WITH_AES_128_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_128_CBC_SHA

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

RSA_WITH_AES_256_GCM_SHA384

Yes

RSA_WITH_AES_256_CCM_8

Yes

RSA_WITH_AES_256_CCM

Yes

RSA_WITH_ARIA_256_GCM_SHA384

Yes

RSA_WITH_AES_128_GCM_SHA256

Yes

RSA_WITH_AES_128_CCM_8

Yes

RSA_WITH_AES_128_CCM

Yes

RSA_WITH_ARIA_128_GCM_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

RSA_WITH_AES_128_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

RSA_WITH_AES_128_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

Medium SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1

AES_256_GCM_SHA384

Yes

CHACHA20_POLY1305_SHA256

Yes

AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_AES_256_GCM_SHA384

Yes

DHE_DSS_WITH_AES_256_GCM_SHA384

Yes

DHE_RSA_WITH_AES_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_256_CCM

Yes

DHE_RSA_WITH_AES_256_CCM_8

Yes

DHE_RSA_WITH_AES_256_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

DHE_DSS_WITH_ARIA_256_GCM_SHA384

Yes

DHE_RSA_WITH_ARIA_256_GCM_SHA384

Yes

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_AES_128_GCM_SHA256

Yes

DHE_DSS_WITH_AES_128_GCM_SHA256

Yes

DHE_RSA_WITH_AES_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_128_CCM_8

Yes

ECDHE_ECDSA_WITH_AES_128_CCM

Yes

DHE_RSA_WITH_AES_128_CCM_8

Yes

DHE_RSA_WITH_AES_128_CCM

Yes

ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

DHE_DSS_WITH_ARIA_128_GCM_SHA256

Yes

DHE_RSA_WITH_ARIA_128_GCM_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA384

Yes

DHE_RSA_WITH_AES_256_CBC_SHA256

Yes

DHE_DSS_WITH_AES_256_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_RSA_WITH_AES_128_CBC_SHA256

Yes

DHE_DSS_WITH_AES_128_CBC_SHA256

Yes

Yes

ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256

Yes

ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_256_CBC_SHA

Yes

Yes

DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

Yes

ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_RSA_WITH_AES_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_AES_128_CBC_SHA

Yes

DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

DHE_DSS_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

RSA_WITH_AES_256_GCM_SHA384

Yes

RSA_WITH_AES_256_CCM_8

Yes

RSA_WITH_AES_256_CCM

Yes

RSA_WITH_ARIA_256_GCM_SHA384

Yes

RSA_WITH_AES_128_GCM_SHA256

Yes

RSA_WITH_AES_128_CCM_8

Yes

RSA_WITH_AES_128_CCM

Yes

RSA_WITH_ARIA_128_GCM_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA256

Yes

RSA_WITH_AES_128_CBC_SHA256

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA256

Yes

RSA_WITH_AES_256_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_256_CBC_SHA

Yes

Yes

RSA_WITH_AES_128_CBC_SHA

Yes

Yes

RSA_WITH_CAMELLIA_128_CBC_SHA

Yes

Yes

DHE_RSA_WITH_SEED_CBC_SHA

Yes

Yes

DHE_DSS_WITH_SEED_CBC_SHA

Yes

Yes

ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

DHE_RSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

DHE_DSS_WITH_3DES_EDE_CBC_SHA

Yes

Yes

RSA_WITH_SEED_CBC_SHA

Yes

Yes

RSA_WITH_IDEA_CBC_SHA

Yes

Yes

RSA_WITH_3DES_EDE_CBC_SHA

Yes

Yes

Note: All the medium level ciphers are also supported by the high encryption level, except for those ciphers highlighted in red.

Generally speaking, for security reasons, SHA-1 is preferable, although you may not be able to use it for client compatibility reasons. Avoid using:

  • Older hash algorithms, such as MD5. To disable MD5, for SSL/TLS encryption level, select High.
  • Encryption bit strengths less than 128
  • Older styles of renegotiation (These are vulnerable to Man-in-the-Middle (MITM) attacks.)
  • Client-initiated renegotiation. Configure Configuring an HTTP server policy.
Customized-only SSL/TLS encryption levels

The ciphers in the customized level can be viewed in the GUI, so we won't be listing them in this guide.

All the customized ciphers are included in the high and medium level cipher table listed above, with the exception of the ciphers mentioned in the table below.

Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1

TLS_AES_128_CCM_SHA256

Yes

TLS_AES_128_CCM_8_SHA256

Yes