Setting up cipher suites

Cipher suites are a combination of algorithms and protocols that help to secure network connections during the TLS handshake. IBM Cloud® Internet Services secures network connections by using edge and origin cipher suites.

Edge cipher suites

The following ciphers are supported at the cloud edge. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

Edge cipher suites
OpenSSL Name	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3	IANA name
ECDHE-ECDSA-AES128-GCM-SHA256					TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-CHACHA20-POLY1305					TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES128-GCM-SHA256					TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-CHACHA20-POLY1305					TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-SHA256					TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE-ECDSA-AES128-SHA					TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES128-SHA256					TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE-RSA-AES128-SHA					TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
AES128-GCM-SHA256					TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA256					TLS_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA					TLS_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384					TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-AES256-SHA384					TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-GCM-SHA384					TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-SHA384					TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-SHA					TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES256-GCM-SHA384					TLS_RSA_WITH_AES_256_GCM_SHA384
AES256-SHA256					TLS_RSA_WITH_AES_256_CBC_SHA256
AES256-SHA					TLS_RSA_WITH_AES_256_CBC_SHA
DES-CBC3-SHA					TLS_RSA_WITH_3DES_EDE_CBC_SHA
AEAD-AES128-GCM-SHA256					TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384					TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256					TLS_CHACHA20_POLY1305_SHA256

Origin cipher suites

The following ciphers are supported at the origin. You can restrict the ciphers that are used for your domain through the CIS CLI plugin to the IBM Cloud CLI. See the ciphers option on the domain settings command.

Origin cipher suites
OpenSSL Name	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3	IANA name
AEAD-AES128-GCM-SHA256 ^[1]					TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384 ^[2]					TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256 ^[3]					TLS_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256					TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256					TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-SHA					TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
AES128-GCM-SHA256					TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA					TLS_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384					TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-SHA384					TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
AES256-SHA					TLS_RSA_WITH_AES_256_CBC_SHA
DES-CBC3-SHA					TLS_RSA_WITH_3DES_EDE_CBC_SHA

Managing cipher suites from the CLI

You can manage cipher suites by from the CLI.

Working with edge cipher suites from the CLI

Within the ibmcloud cis domain-settings CLI, set the following variable:

ciphers: An allowlist of ciphers for TLS termination in the BoringSSL format. This command lists only ciphers that are allowlisted by customers. If no ciphers are allowlisted, the list is empty and the default ciphers are used. See Edge cipher suites for the list of default ciphers.
Within the ibmcloud cis domain-settings-update CLI, set the following variable:

ciphers: An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format.

Managing cipher suites with the API

You can manage cipher suites with the API.

Getting ciphers with the API

To get ciphers with the API, take the following steps.

Set up your environment with the right variables.
Store any variables to be used in the API commands. For example,
- crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
- zone_identifier (string): The zone identifier.
When all variables are initiated, get the ciphers:

curl -X GET https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'accept: application/json' -H 'x-auth-user-token: Bearer xxxxxx'

Updating ciphers with the API

To update ciphers with the API, take the following steps.

Set up your environment with the right variables.
Store any variables to be used in the API commands. For example,
- crn (string): The full URL-encoded cloud resource name (CRN) of the resource instance.
- zone_identifier (string): The zone identifier.
- value(string): The cipher suites that you want to include.
When all variables are initiated, get the ciphers:

curl -X PATCH https://api.cis.cloud.ibm.com/v1/:crn/zones/:zone_id/settings/ciphers -H 'content-type: application/json' -H 'x-auth-user-token: Bearer xxxxxx' -d '{"value": ["AES256-GCM-SHA384", "AES256-SHA256"]}'

Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎
Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎
Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, specifying only the symmetric ciphers, and can't be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites can't be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hardcodes cipher preferences in this order for TLS 1.3. ↩︎