Supported TLS Cipher Suites
This appendix and the helm values.yaml file both use the OpenSSL project’s identifiers for TLS Cipher Suites.
Recommended Cipher Suites: The Default List
The following TLS Cipher Suites are supported by Keysafe 5, and are configured for use by default. It is strongly recommended that this default set of cipher suites, or a subset of it, is used.
-
ECDHE-ECDSA-AES128-GCM-SHA256
-
ECDHE-RSA-AES128-GCM-SHA256
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-CHACHA20-POLY1305
-
ECDHE-RSA-CHACHA20-POLY1305
Less Secure Cipher Suites: Not Recommended
The following TLS Cipher Suites are supported by Keysafe 5, but only if explicitly configured for use by the user. These are less secure cipher suites and should only be configured for use after a thorough threat analysis of the operating environment.
-
ECDHE-RSA-AES256-SHA
-
ECDHE-RSA-AES128-SHA
-
ECDHE-ECDSA-AES256-SHA
-
ECDHE-ECDSA-AES128-SHA
-
AES256-GCM-SHA384
-
AES128-GCM-SHA256
-
AES256-SHA
-
AES128-SHA
-
DES-CBC3-SHA
TLSv1.3 Cipher Suites: Not Configurable
The following TLS Cipher Suites are supported by Keysafe 5 and cannot be explicitly configured. These are all secure TLSv1.3 cipher suites.
-
TLS_AES_256_GCM_SHA384
-
TLS_CHACHA20_POLY1305_SHA256
-
TLS_AES_128_GCM_SHA256