Supported TLS Protocol and Cipher Suites
The Transport Layer Security (TLS) protocol is an established method for ensuring private, trustworthy, and reliable communication between computer programs over a network. Each new version of the TLS protocol enhances these qualities. Versions TLS 1.2 and TLS 1.3 are currently supported for use in NetSuite.
Computer programs use the TLS protocol to establish communication with each other. The TLS protocol is used for computer programs that connect using URLs that begin with https:// (the s indicates secure). URLs that begin with http:// are not subject to the TLS protocol.
For more information about the TLS protocol, see:
-
A definition from Wikipedia: Transport Layer Security.
-
The specification of the protocol: RFC 5246 -The Transport Layer Security (TLS) Protocol.
All inbound and outbound secure communication must use TLS 1.2 or TLS 1.3.
See the following sections for more information:
For more information about opportunistic TLS for outbound and inbound email, see Opportunistic TLS and NetSuite Email.
If you are looking for information about supported browsers, see Supported Browsers for NetSuite and Supported Browsers for Commerce Websites.
Supported Cipher Suites
The supported cipher suites can vary by the TLS version, and by the type of service or feature. See the following sections for details:
Cipher Suites for NetSuite Account Services and Commerce
The lists of supported cipher suites are subject to change at any time. It is your responsibility to be aligned with the highest possible level of security available in the industry.
The following cipher suites are supported for NetSuite services, for example, access to the NetSuite UI, SOAP web services, SuiteCommerce websites, and SuiteAnalytics Connect.
For all NetSuite services, you must ensure that your TLS clients support Server Name Indication (SNI). For more information, see Server Name Indication (SNI) is Required.
TLS version 1.2 Cipher Suites
Only TLS version 1.2 cipher suites are supported for use with SuiteAnalytics Connect.
Support for CBC cipher suites ended on July 15, 2021 for all NetSuite services.
|
IANA Name |
OpenSSL Name |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-GCM-SHA256 |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-AES256-GCM-SHA384 |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
TLS version 1.3 Cipher Suites
The IANA and OpenSSL names for these TLS 1.3 cipher suites are the same.
|
IANA and OpenSSL Name |
|---|
|
TLS_AES_256_GCM_SHA384 |
|
TLS_CHACHA20_POLY1305_SHA256 |
|
TLS_AES_128_GCM_SHA256 |
Cipher Suites for SuiteCommerce Websites Only
In addition to the cipher suites listed in Cipher Suites for NetSuite Account Services and Commerce, the following cipher suites are supported for SuiteCommerce websites only.
The ECDHE–ECDSA cipher suites require that the server's certificate contain an ECDSA-capable public key.
|
IANA Name |
OpenSSL Name |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-GCM-SHA256 |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
Cipher Suites for Email Services
The cipher suites listed in the following table are supported for use with email services (for example, Microsoft Outlook).
|
IANA Name |
OpenSSL Name |
|---|---|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-AES256-GCM-SHA384 |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
Support is targeted to end soon for the cipher suites listed in the following table.
|
IANA Name |
OpenSSL Name |
|---|---|
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
AES128-GCM-SHA256 |
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES256-GCM-SHA384 |
Cipher Suites for the SuiteScript N/sftp Module
The SFTP module for SuiteScript also requires TLS encryption. For more information about the supported cipher suites for the N/sftp Module in SuiteScript, see Supported Cipher Suites and Host Key Types.
Server Name Indication (SNI) is Required
Server Name Indication, or SNI, is an extension to the TLS protocol. SNI lets a TLS client indicate which hostname it is attempting to connect to during the TLS handshake. All browsers and standard clients use SNI. Access to Commerce websites have required SNI for quite some time. All TLS clients should also support SNI.
If you are using currently supported cipher suites but some of your integrations are still experiencing failures, verify that all your TLS clients are configured to provide SNI. It has been observed that some TLS clients are configured with SNI turned off.
Certificate Pinning is Not Supported
Do not use any form of certificate pinning (for example, HPKP headers) on any NetSuite service, or for access to the NetSuite UI. NetSuite certificates can change at any time and without notice. If you pin a NetSuite certificate, access to NetSuite can be denied after a certificate is changed.