Supported TLS Cipher Suites

This appendix and the helm values.yaml file both use the OpenSSL project’s identifiers for TLS Cipher Suites.

Recommended Cipher Suites: The Default List

The following TLS Cipher Suites are supported by Keysafe 5, and are configured for use by default. It is strongly recommended that this default set of cipher suites, or a subset of it, is used.

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

Less Secure Cipher Suites: Not Recommended

The following TLS Cipher Suites are supported by Keysafe 5, but only if explicitly configured for use by the user. These are less secure cipher suites and should only be configured for use after a thorough threat analysis of the operating environment.

  • ECDHE-RSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-ECDSA-AES128-SHA

  • AES256-GCM-SHA384

  • AES128-GCM-SHA256

  • AES256-SHA

  • AES128-SHA

  • DES-CBC3-SHA

TLSv1.3 Cipher Suites: Not Configurable

The following TLS Cipher Suites are supported by Keysafe 5 and cannot be explicitly configured. These are all secure TLSv1.3 cipher suites.

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_GCM_SHA256