Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite.
SSLCipherSuite accepts the following prefixes:
none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (can be added later)
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table G-1.
Note:
Cipher suites that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard (3DES) algorithms are deprecated from Oracle HTTP Server version 12.2.1.3 onwards due to known security vulnerabilities. These ciphers are removed from the SSLCipherSuite configuration of the default SSL port of Oracle HTTP Server. These ciphers are also removed from all supported cipher aliases except RC4 and 3DES aliases. If Oracle HTTP Server is managed through Enterprise Manager or WebLogic Scripting Tool, you cannot configure these cipher suites through these tools as these tools do not recognize the insecure RC4 and 3DES ciphers.
To provide backward compatibility, Oracle HTTP Server enables the RC4 and 3DES ciphers, if you explicitly add them to the cipher suite configuration. To use these insecure ciphers, edit the SSLCipherSuite directive in your .conf files using a file editor, and then add them to the end of the cipher list.
Table 11–2 shows the tags you can use in the string to describe the cipher suite you want.
Category | Value |
---|---|
Example |
In this example, all ciphers are specified except MD5 strength ciphers. |
Syntax |
|
Default |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA |
Table G-1 SSLCipher Suite Tags
Function | Tag | Meaning |
---|---|---|
Key exchange |
|
|
Key exchange |
|
Elliptic curve Diffie–Hellman Exchange key exchange |
Authentication |
|
|
Encryption |
|
Triple |
Encryption |
|
|
Data Integrity |
|
|
Data Integrity |
|
SHA256 hash function |
Data Integrity |
|
SHA384 hash function |
Aliases |
|
All TLS version 1 ciphers |
Aliases |
|
All TLS version 1.1 ciphers |
Aliases |
|
All TLS version 1.2 ciphers |
Aliases |
|
All ciphers with 128-bit encryption |
Aliases |
|
All ciphers with encryption key size greater than 128 bits |
Aliases |
|
All ciphers using AES encryption |
Aliases |
|
All ciphers using RSA for both authentication and key exchange |
Aliases |
|
All ciphers using Elliptic Curve Digital Signature Algorithm for authentication |
Aliases |
|
All ciphers using Elliptic curve Diffie–Hellman Exchange for key exchange |
Aliases |
|
All ciphers that use Advanced Encryption Standard in Galois/Counter Mode (GCM) for encryption. |
Table G-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.2.1).
Note:
When usingmod_ossl
on a Solaris Sparc platform, the underlying cryptographic libraries detect the Sparc T4 processor, and makes use of the on-core cryptography algorithms that accelerate cryptographic operations. No configuration is required to enable this feature. The following cryptographic algorithms are supported by the Oracle Sparc Enterprise T-series processors: RSA, 3DES, AES-CBC, AES-GCM, SHA1, SHA256, and SHA38.Table G-2 Cipher Suites Supported in Oracle Advanced Security 12.2.1
Cipher Suite | Key Exchange | Authentication | Encryption | Data Integrity | TLS v1 | TLS v1.1 | TLS v1.2 |
---|---|---|---|---|---|---|---|
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
Yes |
Yes |
Yes |
|
ECDHE |
|
|
|
Yes |
Yes |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral ECDH with RSA signatures |
RSA |
|
|
No |
No |
Yes |
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |