SSLCipherSuite Directive

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite.

SSLCipherSuite accepts the following prefixes:

none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (can be added later)
! : Removes the cipher from the list permanently

Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table G-1.

Note:

Cipher suites that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard (3DES) algorithms are deprecated from Oracle HTTP Server version 12.2.1.3 onwards due to known security vulnerabilities. These ciphers are removed from the SSLCipherSuite configuration of the default SSL port of Oracle HTTP Server. These ciphers are also removed from all supported cipher aliases except RC4 and 3DES aliases. If Oracle HTTP Server is managed through Enterprise Manager or WebLogic Scripting Tool, you cannot configure these cipher suites through these tools as these tools do not recognize the insecure RC4 and 3DES ciphers.

To provide backward compatibility, Oracle HTTP Server enables the RC4 and 3DES ciphers, if you explicitly add them to the cipher suite configuration. To use these insecure ciphers, edit the SSLCipherSuite directive in your .conf files using a file editor, and then add them to the end of the cipher list.

Table 11–2 shows the tags you can use in the string to describe the cipher suite you want.

Category Value

Category	Value
Example	`SSLCipherSuite` `ALL:!MD5` In this example, all ciphers are specified except MD5 strength ciphers.
Syntax	`SSLCipherSuite` `cipher-spec`
Default	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA

Example

SSLCipherSuite ALL:!MD5

In this example, all ciphers are specified except MD5 strength ciphers.

Syntax

SSLCipherSuite cipher-spec

Default

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_GCM_SHA384,

TLS_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_256_CBC_SHA256,

TLS_RSA_WITH_AES_128_CBC_SHA256,

SSL_RSA_WITH_AES_256_CBC_SHA,

SSL_RSA_WITH_AES_128_CBC_SHA

Table G-1 SSLCipher Suite Tags

Function	Tag	Meaning
Key exchange	`kRSA`	`RSA` key exchange
Key exchange	`kECDHE`	Elliptic curve Diffie–Hellman Exchange key exchange
Authentication	`aRSA`	`RSA` authentication
Encryption	`3DES`	Triple `DES` encoding
Encryption	`RC4`	`RC4` encoding
Data Integrity	`SHA`	`SHA` hash function
Data Integrity	`SHA256`	SHA256 hash function
Data Integrity	`SHA384`	SHA384 hash function
Aliases	`TLSv1`	All TLS version 1 ciphers
Aliases	`TLSv1.1`	All TLS version 1.1 ciphers
Aliases	`TLSv1.2`	All TLS version 1.2 ciphers
Aliases	`MEDIUM`	All ciphers with 128-bit encryption
Aliases	`HIGH`	All ciphers with encryption key size greater than 128 bits
Aliases	`AES`	All ciphers using AES encryption
Aliases	`RSA`	All ciphers using RSA for both authentication and key exchange
Aliases	`ECDSA`	All ciphers using Elliptic Curve Digital Signature Algorithm for authentication
Aliases	`ECDHE`	All ciphers using Elliptic curve Diffie–Hellman Exchange for key exchange
Aliases	`AES-GCM`	All ciphers that use Advanced Encryption Standard in Galois/Counter Mode (GCM) for encryption.

Table G-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.2.1).

Note:

When using mod_ossl on a Solaris Sparc platform, the underlying cryptographic libraries detect the Sparc T4 processor, and makes use of the on-core cryptography algorithms that accelerate cryptographic operations. No configuration is required to enable this feature. The following cryptographic algorithms are supported by the Oracle Sparc Enterprise T-series processors: RSA, 3DES, AES-CBC, AES-GCM, SHA1, SHA256, and SHA38.

Table G-2 Cipher Suites Supported in Oracle Advanced Security 12.2.1

Cipher Suite	Key Exchange	Authentication	Encryption	Data Integrity	TLS v1	TLS v1.1	TLS v1.2
`SSL_RSA_WITH_RC4_128_SHA`	RSA	`RSA`	`RC4 (128)`	`SHA`	Yes	Yes	Yes
`SSL_RSA_WITH_3DES_EDE_CBC_SHA`	RSA	`RSA`	`3DES (168)`	`SHA`	Yes	Yes	Yes
`SSL_RSA_WITH_AES_128_CBC_SHA`	RSA	`RSA`	`AES (128`)	`SHA`	Yes	Yes	Yes
`SSL_RSA_WITH_AES_256_CBC_SHA`	RSA	`RSA`	`AES (256`)	`SHA`	Yes	Yes	Yes
`TLS_RSA_WITH_AES_128_CBC_SHA256`	RSA	`RSA`	`AES (128`)	`SHA256`	No	No	Yes
`TLS_RSA_WITH_AES_256_CBC_SHA256`	RSA	`RSA`	`AES (256)`	`SHA256`	No	No	Yes
`TLS_RSA_WITH_AES_128_GCM_SHA256`	RSA	`RSA`	`AES (128)`	`SHA256`	No	No	Yes
`TLS_RSA_WITH_AES_256_GCM_SHA384`	RSA	`RSA`	`AES (256)`	`SHA384`	No	No	Yes
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`	ECDHE	`ECDSA`	`AES (128)`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`	ECDHE	`ECDSA`	`AES (256)`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`	ECDHE	`ECDSA`	`AES (128)`	`SHA256`	No	No	Yes
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`	ECDHE	`ECDSA`	`AES (256)`	`SHA384`	No	No	Yes
`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`	ECDHE	`ECDSA`	`AES (128)`	`SHA256`	No	No	Yes
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`	ECDHE	`ECDSA`	`AES (256)`	`SHA384`	No	No	Yes
`TLS_ECDHE_RSA_WITH_RC4_128_SHA`	Ephemeral `ECDH` with `RSA` signatures	`RSA`	`RC4 (128)`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`	Ephemeral `ECDH` with `RSA` signatures	`RSA`	`3DES`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`	Ephemeral `ECDH` with `RSA` signatures	`RSA`	`AES (128)`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`	Ephemeral `ECDH` with `RSA` signatures	`RSA`	`AES (256)`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`	Ephemeral `ECDH` with `ECDSA` signatures	`ECDSA`	`RC4 (128)`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA`	Ephemeral `ECDH` with `ECDSA` signatures	`ECDSA`	`3DES`	`SHA`	Yes	Yes	Yes
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`	Ephemeral ECDH with RSA signatures	RSA	`AES (256)`	`SHA384`	No	No	Yes
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`	Ephemeral `ECDH` with `RSA` signatures	RSA	`AES (128)`	`SHA256`	No	No	Yes
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`	Ephemeral `ECDH` with `RSA` signatures	RSA	`AES (256)`	`SHA384`	No	No	Yes
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`	Ephemeral `ECDH` with `RSA` signatures	RSA	`AES (128)`	`SHA256`	No	No	Yes