TLS Cipher Updates

Note the following changes to the DEFAULT cipher list.

Oracle recommends the following ciphers, and includes them in the DEFAULT cipher list:

  1. TLS_AES_128_GCM_SHA256
  2. TLS_AES_256_GCM_SHA384
  3. TLS_CHACHA20_POLY1305_SHA256

    Note:

    TLS_CHACHA20_POLY1305_SHA256 is not supported when Data Integrity is enabled.
  4. TLS_AES_128_CCM_SHA256
  5. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  6. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  7. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  8. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  9. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  10. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Below ciphers are not supported from this Release 5.0.0 :
  1. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  2. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  5. TLS_RSA_WITH_AES_256_CBC_SHA256
  6. TLS_RSA_WITH_AES_256_GCM_SHA384
  7. TLS_RSA_WITH_AES_128_CBC_SHA256
  8. TLS_RSA_WITH_AES_128_CBC_SHA
  9. TLS_RSA_WITH_AES_128_GCM_SHA256
  10. TLS_AES_128_CCM_8_SHA256
  11. TLS_RSA_WITH_3DES_EDE_CBC_SHA
  12. TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  13. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  14. TLS_RSA_WITH_AES_256_CBC_SHA
  15. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  16. TLS_RSA_WITH_NULL_SHA256
  17. TLS_RSA_WITH_NULL_SHA
  18. TLS_RSA_WITH_NULL_MD5

To configure TLS ciphers, use the cipher-list attribute in the tls-profile configuration element.

WARNING:

Starting with the Communications Broker Release 5.0.0, TLS 1.0 and TLS 1.1 are not supported.