IBM Cloud Docs
Setting up cipher suites

Setting up cipher suites

Cipher suites are a combination of algorithms and protocols that help to secure network connections during the TLS handshake. IBM Cloud® Internet Services secures network connections by using edge and origin cipher suites.

Edge cipher suites

The following ciphers are supported at the cloud edge. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

Edge cipher suites
OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
ECDHE-ECDSA-AES128-GCM-SHA256 Available
ECDHE-ECDSA-CHACHA20-POLY1305 Available
ECDHE-RSA-AES128-GCM-SHA256 Available
ECDHE-RSA-CHACHA20-POLY1305 Available
ECDHE-ECDSA-AES128-SHA256 Available
ECDHE-ECDSA-AES128-SHA Available Available Available
ECDHE-RSA-AES128-SHA256 Available
ECDHE-RSA-AES128-SHA Available Available Available
AES128-GCM-SHA256 Available
AES128-SHA256 Available
AES128-SHA Available Available Available
ECDHE-ECDSA-AES256-GCM-SHA384 Available
ECDHE-ECDSA-AES256-SHA384 Available
ECDHE-RSA-AES256-GCM-SHA384 Available
ECDHE-RSA-AES256-SHA384 Available
ECDHE-RSA-AES256-SHA Available Available Available
AES256-GCM-SHA384 Available
AES256-SHA256 Available
AES256-SHA Available Available Available
DES-CBC3-SHA Available
AEAD-AES128-GCM-SHA256 Available
AEAD-AES256-GCM-SHA384 Available
AEAD-CHACHA20-POLY1305-SHA256 Available

Origin cipher suites

The following ciphers are supported at the origin. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

Origin cipher suites
OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
AEAD-AES128-GCM-SHA256 [1] Available
AEAD-AES256-GCM-SHA384 [2] Available
AEAD-CHACHA20-POLY1305-SHA256 [3] Available
ECDHE-ECDSA-AES128-GCM-SHA256 Available
ECDHE-RSA-AES128-GCM-SHA256 Available
ECDHE-RSA-AES128-SHA Available Available Available
AES128-GCM-SHA256 Available
AES128-SHA Available Available Available
ECDHE-ECDSA-AES256-GCM-SHA384 Available
ECDHE-RSA-AES256-SHA384 Available
AES256-SHA Available Available Available
DES-CBC3-SHA Available

Managing cipher suites from the CLI

You can manage cipher suites by from the CLI.

Working with edge cipher suites from the CLI

  • Within the ibmcloud cis domain-settings CLI, set the following variable:

    ciphers: An allowlist of ciphers for TLS termination in the BoringSSL format. This command lists only ciphers that are allowlisted by customers. If no ciphers are allowlisted, the list is empty and the default ciphers are used. See Edge cipher suites for the list of default ciphers.

  • Within the ibmcloud cis domain-settings-update CLI, set the following variable:

    ciphers: An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format.

Managing cipher suites with the API

You can manage cipher suites with the API.

Getting ciphers with the API

To get ciphers with the API, take the following steps.

  1. Set up your environment with the right variables.
  2. Store any variables to be used in the API commands. For example,
    • crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
    • zone_identifier (string): The zone identifier.
  3. When all variables are initiated, get the ciphers:
curl -X GET https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'accept: application/json' -H 'x-auth-user-token: Bearer xxxxxx'

Updating ciphers with the API

To update ciphers with the API, take the following steps.

  1. Set up your environment with the right variables.
  2. Store any variables to be used in the API commands. For example,
    • crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
    • zone_identifier (string): The zone identifier.
    • value(string): The cipher suites that you want to include.
  3. When all variables are initiated, get the ciphers:
curl -X PATCH https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'x-auth-user-token: Bearer xxxxxx' -d '{"value": ["AES256-GCM-SHA384", "AES256-SHA256"]}'


  1. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎

  2. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎

  3. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎