This article contains information on Cipher Suites, detailing the algorithms used for securing network connections via TLS/SSL, and lists various cipher groups with their respective strengths and configurations.
A Cipher Suites is a set of algorithms that secure a network connection using Transport Layer Security (TLS) or Secure Socket Layer (SSL). Each set of algorithms usually contains:
-
-
- Key exchange algorithm: This is used to exchange a key between two devices and encrypt/decrypt messages sent between them.
- Bulk encryption algorithm: This is used to encrypt the data being sent.
- Message Authentication Code (MAC) algorithm: This provides data integrity checks to ensure the data sent doesn't change in transit.
-
Cipher Suites can also include signatures and an authentication algorithm to help authenticate the server and/or client (including SMTP submission). There are many cipher suites containing different combinations of these algorithms.
Cipher Suites
Some Cipher Suites offer better security than others. We've provided a list below of the ciphers we may use depending on your configuration. The list is displayed with the strongest cipher suites listed at the top and the weakest at the bottom. If a Cipher Suites has multiple ciphers, the first in the cipher group is chosen first.
You won't have all the Cipher groups enabled, as this depends on the functionality enabled on your account. For example, the ciphers in the gcmPFSCiphers cipher group are stronger than those in the phsCipher cipher group. However, as the GCmPFSCiphers cipher group is optional depending on your configuration, the strongest cipher by default is TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA. This is the first cipher in the phsCipher cipher group.
gcmPFSCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
No | Yes | These ciphers could be enabled depending on your account's functionality. |
pfsCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
Yes | No |
gcmVeryStrongCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
No | Yes | These ciphers could be enabled depending on your account's functionality. |
veryStrongCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
Yes | No |
gcmStrongCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 |
No | Yes | These ciphers could be enabled depending on your account's functionality. |
strongCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA |
Yes | No |
mediumCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
No | Yes | These ciphers could be enabled in compatibility mode. |
beastMitigationCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 |
No | Yes | These ciphers could be enabled in compatibility mode. |
weakCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA |
No | Yes | These ciphers could be enabled in compatibility mode. |
anonCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA |
No | Yes | These ciphers could be enabled depending on your account's configuration. |
renegotiationCiphers
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV | Yes | No |
National Cyber Security Centre Ciphers (UK Government Compliance)
| Ciphers | Enabled | Optional | Comments |
|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
Yes | No | These ciphers conform to the Securing Government Email guidance issued by the National Cyber Security Centre (NCSC). |
Comments
Please sign in to leave a comment.