SSL Cipher Suites
  • 07 Jan 2025
  • 5 Minutes à lire
  • Sombre
    Lumière
  • PDF

SSL Cipher Suites

  • Sombre
    Lumière
  • PDF

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

SSL cipher suites can be used with SOAP and SEAL communicator modules. OneSpan Authentication Server supports SSL cipher suites defined under the security level labels Custom, Very High, High, Medium, and Low.

The security levels are applied to the following communication protocols:

  • SOAP
  • SEAL
  • RADIUS (RADIUS/EAP-TTLS and RADIUS/PEAP only)
Table: Cryptographic protocols supported in different cipher suite security levels
SSL cipher suite security levelCryptographic protocol support
TLSv1TLSv1.1TLSv1.2TLSv1.3
Very High
High
Medium
Low
Custom

Default security levels for SSL cipher suites

For each communication interface of OneSpan Authentication Server, the SSL cipher suite security level is set by default (see Table: Default SSL cipher suite security levels for communication interfaces).

Table:  Default SSL cipher suite security levels for communication interfaces
OneSpan Authentication Server communication interfaceDefault security level of SSL cipher suite
OneSpan Authentication Server SOAP CommunicatorVery High
OneSpan Authentication Server SEAL Communicator with SSL/TLSVery High
OneSpan Authentication Server RADIUS CommunicatorMedium
OneSpan Authentication Server Live Audit Connection (SEAL)Very High
Message Delivery Component (SEAL)Very High

You can configure a communicator module that is enabled with SSL/TLS to use an SSL cipher security level other than the default level and select either Very High, High, Medium, or Low, via the Configuration Utility. To do so, launch the Configuration Utility and navigate to Communicators. There, each communicator module (SOAP, RADIUS, SEAL) has its own tab where you can select an option from the SSL Cipher Suite Security Level drop-down list. Alternatively, you can set this same setting via the Administration Web Interface.

To configure SSL cipher suite security level via the Administration Web Interface

  1. Navigate to SYSTEM > Server Configuration.
  2. Select the Communicators tab.
  3. Click EDIT.
  4. Expand the communicator module you wish to configure, then select an option from its SSL Cipher Suite Security Level drop-down list.
  5. Click SAVE.

You can also set the SSL cipher suite security level for the Message Delivery Component (MDC). For more information, see Using the MDC Configuration Utility.

Custom SSL cipher suites

A custom list of cipher suites can be defined specifically for OneSpan Authentication Server. The format of the list is defined by OpenSSL.

Each lower security level contains the cipher suites of every higher level, too. In the following table, only the cipher suites specific to each level are listed.

The cipher suite security levels define rules which protocols, protocol versions, and algorithms are allowed for a specific level, the resulting cipher lists depend on the OpenSSL library. This means that even if a higher cipher suite level defines stricter rules than a lower one, the applicable ciphers may be the same.

For instance, Very High is stricter than High, but effectively both levels allow the same ciphers. In that case, it does not make a difference, which cipher suite security level you select. The same is true for Medium and Low.

Table: Supported SSL cipher suites
Cipher suiteProtocolKey exchangeAuthenti­cationEncryptionMAC
Security Level: VERY_HIGH, HIGH
TLS_AES_256_GCM_SHA384TLSv1.3AnyAnyAESGCM(256)AEAD
TLS_CHACHA20_POLY1305_SHA256TLSv1.3AnyAnyCHACHA20 POLY1305(256)AEAD
TLS_AES_128_GCM_SHA256TLSv1.3AnyAnyAESGCM(128)AEAD
ECDHE-RSA-AES128-GCM-SHA256TLSv1.2ECDHRSAAESGCM(128)AEAD
AES128-GCM-SHA256TLSv1.2RSARSAAESGCM(128)AEAD
ECDHE-RSA-AES256-GCM-SHA384TLSv1.2ECDHRSAAESGCM(256)AEAD
AES256-GCM-SHA384TLSv1.2RSARSAAESGCM(256)AEAD
Security Level: MEDIUM, LOW
ECDHE-RSA-AES128-SHA256TLSv1.2ECDHRSAAES(128)SHA256
ECDHE-RSA-AES128-SHATLSv1.2, TLSv1.1, TLSv1ECDHRSAAES(128)SHA1
AES128-CCM8TLSv1.2RSARSAAESCCM8(128)AEAD
AES128-CCMTLSv1.2RSARSAAESCCM(128)AEAD
AES128-SHA256TLSv1.2RSARSAAES(128)SHA256
AES128-SHATLSv1.2, TLSv1.1, TLSv1RSARSAAES(128)SHA1
ECDHE-RSA-AES256-SHA384TLSv1.2ECDHRSAAES(256)SHA384
ECDHE-RSA-AES256-SHATLSv1.2, TLSv1.1, TLSv1ECDHRSAAES(256)SHA1
AES256-CCM8TLSv1.2RSARSAAESCCM8(256)AEAD
AES256-CCMTLSv1.2RSARSAAESCCM(256)AEAD
AES256-SHA256TLSv1.2RSARSAAES(256)SHA256
AES256-SHATLSv1.2, TLSv1.1, TLSv1RSARSAAES(256)SHA1

You can configure SSL to use one or multiple cipher suites from this list. Custom cipher suites are configured via the identikeyconfig.xml file, located at:

/etc/vasco/ias (Linux)

%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin (Windows)

To configure SSL to use a custom cipher suite (via identikeyconfig.xml)

  1. Open the OneSpan Authentication Server configuration file, i.e. identikeyconfig.xml.
  2. Locate the settings group for the communicator module for which you want to specify a custom SSL cipher suite.
  3. Within that settings group, locate the <SSL> settings group. Custom cipher suite settings (along with all other SSL settings) are defined here.
  4. For Message Delivery Component, SEAL, RADIUS, or SOAP connections, specify the SSL cipher suite in the data attribute of the Supported-Cipher-Suite setting. For Live Audit Connections, specify the custom SSL cipher suite in the data attribute of the SecurityLevelsetting instead.

    For all types of connections, you can specify multiple cipher suites by listing them and separating them via colons.

The following example shows SEAL communicator module SSL details for a Windows system. The only difference with the configuration for a Linux system would be the directory paths:

 

<SealCommunicator>
  <Enabled type="bool" data="true" />
  <Display-Name type="string" data="" />
  <Library-Path type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\ikcommseal.dll" />
  <DPX-Upload-Location type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\dpx\" />
  <IP-Address type="string" data="10.2.12.9" />
  <IP-Port type="unsigned" data="20004" />
  <SSL>
    <Enabled type="bool" data="true" />
    <Server-Certificate type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\ikey_seal_cert.pem" />
    <Private-Key-Password type="string" data="ld90DH_oRgPsA6QGlaeVXx8=" />
    <CA-Certificate-Store type="string" data="" />
    <Client-Authentication-Method type="string" data="none" />
    <Reverify-Client-On-Reconnect type="bool" data="false" />
    <Supported-Cipher-Suite type="string" data="HIGH" />
    <Learn-Certificates type="bool" data="true" />
    <ServerCertificate />
    <ClientCertVerification />
  </SSL>
  <Require-Client-Component type="bool" data="false" />
  <DNS-Target type="bool" data="true" />
</SealCommunicator>

The tags and structure of the SSL settings here are similar to those used by RADIUS, SOAP, and MDC. The following example shows a sample SSL configuration for Live Audit Connection:

 

<Profile04>
  <Enabled type="bool" data="true" />
  <Type type="string" data="live" />
  <Display-Name type="string" data="Live Audit Viewer" />
  <Fail-On-Error type="bool" data="false" />
  <Unhandled-Only type="bool" data="false" />
  <Error type="bool" data="true" />
  <Warning type="bool" data="true" />
  <Info type="bool" data="true" />
  <Success type="bool" data="true" />
  <Failure type="bool" data="true" />
  <Plugincfg>
    <IP-Address type="string" data="10.2.12.9" />
    <Server-Port type="unsigned" data="20006" />
    <Auth-Timeout type="unsigned" data="60" />
    <Max-Connections type="unsigned" data="3" />
    <SSL>
      <Enabled type="bool" data="true" />
      <SecurityLevel type="string" data="HIGH" />
      <ServerCertificate>
        <CertFile type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin\ikey_audit_cert.pem" />
        <Password type="string" data="ld90DH_oRgPsA6QGlaeVXx8=" />
      </ServerCertificate>
      <ClientCertVerification>
        <CACertFile type="string" data="" />
        <RequireCert type="string" data="none" />
        <LearnCertificates type="bool" data="false" />
        <ReverifyOnReconnect type="bool" data="false" />
      </ClientCertVerification>
    </SSL>
  </Plugincfg>
</Profile04>

In the SEAL communicator module example, you can configure the SSL to use custom cipher suites by replacing the word HIGH in the following line:

<Supported-Cipher-Suite type="string" data="HIGH" />

Replace it with a single cipher, or a list of ciphers separated by a colon. For example:

<Supported-Cipher-Suite type="string" data="AES256-SHA:AES128-SHA" />

With the live audit connection example, replace the word HIGH with the custom ciphers in the following line instead:

<SecurityLevel type="string" data="HIGH"/>

Blocked cipher suites

The OneSpan Authentication Server communication interfaces, when configured to use SSL/TLS, will actively block certain cipher suites. All OneSpan Authentication Server components actively block the suites to which the criteria listed below apply. This also includes custom cipher suites, i.e. if the criteria also apply to custom-defined cipher suites, the OneSpan Authentication Server components will also actively block these suites.

Criteria for cipher suites to be blocked:

  • All cipher suites which do not offer encryption
  • All cipher suites which do not offer authentication
  • All export encryption algorithms
  • Cipher suites defined by OpenSSL as low encryption
  • All cipher suites which use MD5 as hashing algorithm
  • All cipher suites that use pre-shared keys

Cipher suites in OneSpan Authentication Server Administration Web Interface

The following cipher suites are accepted by the Administration Web Interface(if deployed on an Apache Tomcat server (i.e. the default deployment)):

Table: Cipher suites in Administration Web Interface
Cipher suiteProtocolKey exchangeAuthenti­cationEncryptionMAC
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLSv1.2ECDHRSAAESGCM(128)AEAD
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLSv1.2ECDHECDSAAESGCM(128)AEAD
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLSv1.2ECDH/RSAECDHAESGCM(128)AEAD
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLSv1.2ECDH/ECDSAECDHAESGCM(128)AEAD
TLS_RSA_WITH_AES_128_GCM_SHA256TLSv1.2RSARSAAESGCM(128)AEAD
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*TLSv1.2ECDHRSAAESGCM(256)AEAD
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384*TLSv1.2ECDHECDSAAESGCM(256)AEAD
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384*TLSv1.2ECDH/RSAECDHAESGCM(256)AEAD
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384*TLSv1.2ECDH/ECDSAECDHAESGCM(256)AEAD
TLS_RSA_WITH_AES_256_GCM_SHA384*TLSv1.2RSARSAAESGCM(256)AEAD

* Encryption of symmetric keys that are 128 bit or greater require Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle