SSLCipherSuite Directive

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite.

SSLCipherSuite accepts the following prefixes:

  • none: Adds the cipher to the list

  • + : Adds the cipher to the list and places it in the correct location in the list

  • - : Removes the cipher from the list (can be added later)

  • ! : Removes the cipher from the list permanently

Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table G-1.

Note:

Cipher suites that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard (3DES) algorithms are deprecated from Oracle HTTP Server version 12.2.1.3 onwards due to known security vulnerabilities. These ciphers are removed from the SSLCipherSuite configuration of the default SSL port of Oracle HTTP Server. These ciphers are also removed from all supported cipher aliases except RC4 and 3DES aliases. If Oracle HTTP Server is managed through Enterprise Manager or WebLogic Scripting Tool, you cannot configure these cipher suites through these tools as these tools do not recognize the insecure RC4 and 3DES ciphers.

To provide backward compatibility, Oracle HTTP Server enables the RC4 and 3DES ciphers, if you explicitly add them to the cipher suite configuration. To use these insecure ciphers, edit the SSLCipherSuite directive in your .conf files using a file editor, and then add them to the end of the cipher list.

 

Table 11–2 shows the tags you can use in the string to describe the cipher suite you want.

Category Value

Example

SSLCipherSuite ALL:!MD5

In this example, all ciphers are specified except MD5 strength ciphers.

Syntax

SSLCipherSuite cipher-spec

Default

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA

Table G-1 SSLCipher Suite Tags

Function Tag Meaning

Key exchange

kRSA

RSA key exchange

Key exchange

kECDHE

Elliptic curve Diffie–Hellman Exchange key exchange

Authentication

aRSA

RSA authentication

Encryption

3DES

Triple DES encoding

Encryption

RC4

RC4 encoding

Data Integrity

SHA

SHA hash function

Data Integrity

SHA256

SHA256 hash function

Data Integrity

SHA384

SHA384 hash function

Aliases

TLSv1

All TLS version 1 ciphers

Aliases

TLSv1.1

All TLS version 1.1 ciphers

Aliases

TLSv1.2

All TLS version 1.2 ciphers

Aliases

MEDIUM

All ciphers with 128-bit encryption

Aliases

HIGH

All ciphers with encryption key size greater than 128 bits

Aliases

AES

All ciphers using AES encryption

Aliases

RSA

All ciphers using RSA for both authentication and key exchange

Aliases

ECDSA

All ciphers using Elliptic Curve Digital Signature Algorithm for authentication

Aliases

ECDHE

All ciphers using Elliptic curve Diffie–Hellman Exchange for key exchange

Aliases

AES-GCM

All ciphers that use Advanced Encryption Standard in Galois/Counter Mode (GCM) for encryption.

Table G-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.2.1).

Note:

When using mod_ossl on a Solaris Sparc platform, the underlying cryptographic libraries detect the Sparc T4 processor, and makes use of the on-core cryptography algorithms that accelerate cryptographic operations. No configuration is required to enable this feature. The following cryptographic algorithms are supported by the Oracle Sparc  Enterprise T-series processors: RSA, 3DES, AES-CBC, AES-GCM, SHA1, SHA256, and SHA38.

Table G-2 Cipher Suites Supported in Oracle Advanced Security 12.2.1

Cipher Suite Key Exchange Authentication Encryption Data Integrity TLS v1 TLS v1.1 TLS v1.2

SSL_RSA_WITH_RC4_128_SHA

RSA

RSA

RC4 (128)

SHA

Yes

Yes

Yes

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

RSA

3DES (168)

SHA

Yes

Yes

Yes

SSL_RSA_WITH_AES_128_CBC_SHA

RSA

RSA

AES (128)

SHA

Yes

Yes

Yes

SSL_RSA_WITH_AES_256_CBC_SHA

RSA

RSA

AES (256)

SHA

Yes

Yes

Yes

TLS_RSA_WITH_AES_128_CBC_SHA256

RSA

RSA

AES (128)

SHA256

No

No

Yes

TLS_RSA_WITH_AES_256_CBC_SHA256

RSA

RSA

AES (256)

SHA256

No

No

Yes

TLS_RSA_WITH_AES_128_GCM_SHA256

RSA

RSA

AES (128)

SHA256

No

No

Yes

TLS_RSA_WITH_AES_256_GCM_SHA384

RSA

RSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE

ECDSA

AES (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE

ECDSA

AES (256)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE

ECDSA

AES (128)

SHA256

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE

ECDSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE

ECDSA

AES (128)

SHA256

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE

ECDSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_RSA_WITH_RC4_128_SHA

Ephemeral ECDH with RSA signatures

RSA

RC4 (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Ephemeral ECDH with RSA signatures

RSA

3DES

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Ephemeral ECDH with RSA signatures

RSA

AES (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ephemeral ECDH with RSA signatures

RSA

AES (256)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

Ephemeral ECDH with ECDSA signatures

ECDSA

RC4 (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

Ephemeral ECDH with ECDSA signatures

ECDSA

3DES

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Ephemeral ECDH with RSA signatures

RSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Ephemeral ECDH with RSA signatures

RSA

AES (128)

SHA256

No

No

Yes

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ephemeral ECDH with RSA signatures

RSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Ephemeral ECDH with RSA signatures

RSA

AES (128)

SHA256

No

No

Yes