Managing Cipher Suites

This topic describes how to create and manage cipher suites. Cipher suites are part of the setup and maintenance of a load balancer. For more Load Balancing information about managing load balancers, see Managing Load Balancers.

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: For a typical policy that gives access to load balancers and their components, see Let network admins manage load balancers.

Also, be aware that a policy statement with inspect load-balancers gives the specified group the ability to see all information about the load balancers. For more information, see Details for Load Balancing.

If you are new to policies, see Getting Started with Policies and Common Policies.

Working with Cipher Suites

A cipher suite is a logical entity for a set of algorithms, or ciphers, using Transport Layer Security (TLS) to determine the security, compatibility, and speed of HTTPS traffic. All ciphers are associated with at least one version of Transport Layer Security (TLS) 1.0, 1.1, and 1.2.

Note

Any cipher suite you use or create must contain individual ciphers that match the TLS version supported in your environment. Some ciphers can work with multiple TLS versions. If your environment supports at least one of the TLS versions associated with a given cipher, you can use it.

When you create or edit a listener, you add or can change the associated cipher suite. See Managing Listeners for more information.

Click Cipher Suites under Resources in the Load Balancer Details page to display the Cipher Suites page. This page contains a button for creating cipher suites.

This page also contains a list of all the currently available cipher suites, both ones that came originally preconfigured from Oracle Cloud Infrastructure (Predefined=Yes), and ones that you created yourself (Predefined=No). You can modify or delete those cipher suites you created yourself (Predefined=No). You cannot modify predefined cipher suites.

Creating Cipher Suites

You can create cipher suites as a resource within the Load Balancer service in the Console. The cipher suites you create are available to use when configuring the load balancer's listener and backend set.

To create a cipher suite
  1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
  2. Choose the Compartment that contains the load balancer for which you want to create cipher suites.
  3. Click the load balancer you want from the list.

    The Load Balancer Details page for that load balancer appears.

  4. Click Cipher Suites under Resources.

    The Cipher Suites page appears.

  5. Click Create Cipher Suite.

    The Create Cipher Suite page appears.

  6. Enter a name for the cipher suite you are creating in the Suite Name field.
  7. Check those TLS versions under Filters from which you want to select.

    Ciphers associated with the TLS versions you checked (displaying which TLS versions they support) appear. Only select TLS versions that are supported in your environment.

    Note

    Assign at least one cipher to a cipher suite you create. You cannot create a cipher suite that contains no ciphers.
  8. Check those ciphers that you want to include in your cipher suite.

    The total number of ciphers available can span multiple pages. Use the Search Ciphers field to find a specific cipher.

    Uncheck a cipher to deselect it from the cipher suite.

  9. Click Create Suite.
Note

Note the following related to creating cipher suites:

  • Ensure compatibility between specified SSL protocols and configured ciphers in the cipher suite, or else the SSL handshake will not be successful.
  • Ensure compatibility between configured ciphers in the cipher suite and configured certificates (for example, RSA-based ciphers require an RSA certificate whereas ECDSA based ciphers require ECDSA certificates).

  • For all load balancer and listener resources that were created before the cipher suites feature was available, the following apply:
    • When running a GET operation, the cipher suite value returned is by default "oci-default-ssl-cipher-suite-v1" inside the listener's SSL configuration. You can update this value by editing the load balancer or listener.
    • When running a GET operation, the cipher suite value returned is displayed as "oci-customized-ssl-cipher-suite" inside the listener's SSL configuration if the cipher configuration of those load balancers was customized after the load balancer creation via Oracle operations.
  • For all existing load balancer backendsets that were created before the cipher suites feature was available, running a GET operation displays the cipher suite value as "oci-wider-compatible-ssl-cipher-suite-v1" inside the backendset's SSL configuration.
  • If running a GET operation on a load balancer listener displays the cipher suite value as "oci-customized-ssl-cipher-suite", then choose the appropriate cipher suite name (either pre-defined or custom defined cipher suites) when updating these load balancers.
  • The cipher suite name "oci-customized-ssl-cipher-suite" is reserved for use by Oracle and is not acceptable as an available name for a custom cipher suite.

Viewing Cipher Suite Details

The Cipher Suite Details page is where you can view the ciphers contained in the cipher suite. When you first create a cipher suite, the Details page appears. After that, you can view the Details page using the following method.

From the Details page, you can also modify or delete custom cipher suites. You cannot modify or delete preconfigured cipher suites.

To view the details of a cipher suite
  1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
  2. Choose the Compartment that contains the load balancer whose cipher suite you want to modify, and then click the load balancer's name.
  3. Click Cipher Suites under Resources.

    The Cipher Suites page appears.

  4. Click the link under Name for the cipher suite whose details you want to view.

    Alternatively, you can click the Actions icon (Actions icon), and then click View Details.

    The Details page for that cipher suite appears. The Details page displays those ciphers currently included in the cipher suite.

Editing Cipher Suites

Edit a cipher suite to change the ciphers it contains.

To edit a cipher suite
  1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
  2. Choose the Compartment that contains the load balancer whose cipher suite you want to modify, and then click the load balancer's name.
  3. Click Cipher Suites under Resources.

    The Cipher Suites page appears.

  4. Click the Actions icon (Actions icon), and then click Edit for the cipher suite you want to edit.

    Alternatively, you can open the Details page for the cipher suite you want to edit. See Viewing Cipher Suite Details for more information.

  5. Modify the ciphers contained in the cipher suite as wanted:
    • To add ciphers, click Manage Cipher(s).

      The Select Ciphers page appears. Check the ciphers that you want to add. The ciphers you add must be compatible with the TLS version you are using. Use the Filters to limit the available ciphers by the TLS versions they support. Click Select Ciphers. You are returned to the Details page.

    • To remove ciphers, check those ciphers listed in the Details page and click Remove. All the check ciphers are removed.

      You can remove individual ciphers by clicking the Actions icon (Actions icon) for the associated cipher, then click Delete.

    Note

    You cannot delete all ciphers from a cipher suite. The cipher suite must contain at least one cipher after editing.

Any updates you make are automatically saved.

Deleting Cipher Suites

You cannot delete a cipher suite that is in use. Ensure all listeners and backend sets using the cipher suite you want to delete are managed to a different suite first. You may not have access to all compartments containing associated resources.

To delete a cipher suite
Note

You can only delete a custom (Predefined=No) cipher suite.
  1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
  2. Choose the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
  3. In the Resources menu, click Cipher Suites.

    The Cipher Suite page appears.

  4. Click the Actions icon (Actions icon) associated with the cipher suite you want to delete, and then click Delete.

    Alternatively, you can open the Details page for the cipher suite you want to delete. The Details page for that cipher suite appears. Click Delete. See Viewing Cipher Suite Details for more information.

  5. Confirm when prompted. The deleted cipher suite disappears from the list.

Supported Ciphers

Here is a list of supported ciphers by TLS version.

TLS version 1.2
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DH-DSS-AES256-GCM-SHA384
  • DHE-DSS-AES256-GCM-SHA384
  • DH-RSA-AES256-GCM-SHA384
  • DHE-DSS-AES256-SHA256
  • DH-RSA-AES256-SHA256
  • DH-DSS-AES256-SHA256
  • ECDH-RSA-AES256-GCM-SHA384
  • ECDH-ECDSA-AES256-GCM-SHA384
  • ECDH-RSA-AES256-SHA384
  • ECDH-ECDSA-AES256-SHA384
  • DH-DSS-AES128-GCM-SHA256
  • DHE-DSS-AES128-GCM-SHA256
  • DH-RSA-AES128-GCM-SHA256
  • DHE-DSS-AES128-SHA256
  • DH-RSA-AES128-SHA256
  • DH-DSS-AES128-SHA256
  • ECDH-RSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-ECDSA-AES128-SHA256
TLS version 1.0/1.1 ciphers supported by TLS version 1.2
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DHE-RSA-AES128-SHA
  • DHE-RSA-CAMELLIA256-SHA
  • DHE-RSA-CAMELLIA128-SHA
  • DHE-DSS-CAMELLIA256-SHA
  • DHE-DSS-CAMELLIA128-SHA
  • DHE-RSA-SEED-SHA
  • DHE-DSS-SEED-SHA
  • DH-RSA-SEED-SHA
  • DH-DSS-SEED-SHA
  • DHE-RSA-AES256-SHA
  • DHE-DSS-AES256-SHA
  • DH-RSA-AES256-SHA
  • DH-DSS-AES256-SHA
  • DH-RSA-CAMELLIA256-SHA
  • DH-DSS-CAMELLIA256-SHA
  • ECDH-RSA-AES256-SHA
  • ECDH-ECDSA-AES256-SHA
  • CAMELLIA256-SHA
  • PSK-AES256-CBC-SHA
  • DHE-DSS-AES128-SHA
  • DH-RSA-AES128-SHA
  • DH-DSS-AES128-SHA
  • DH-RSA-CAMELLIA128-SHA
  • DH-DSS-CAMELLIA128-SHA
  • ECDH-RSA-AES128-SHA
  • ECDH-ECDSA-AES128-SHA
  • SEED-SHA
  • CAMELLIA128-SHA
  • PSK-AES128-CBC-SHA
  • DES-CBC3-SHA
  • IDEA-CBC-SHA
  • ECDHE-RSA-DES-CBC3-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • DHE-RSA-DES-CBC3-SHA
  • DHE-DSS-DES-CBC3-SHA
  • DH-RSA-DES-CBC3-SHA
  • DH-DSS-DES-CBC3-SHAv
  • ECDH-RSA-DES-CBC3-SHA
  • ECDH-ECDSA-DES-CBC3-SHA
  • PSK-3DES-EDE-CBC-SHA
  • KRB5-IDEA-CBC-SHA
  • KRB5-DES-CBC3-SHA
  • KRB5-IDEA-CBC-MD5
  • KRB5-DES-CBC3-MD5
  • ECDHE-RSA-RC4-SHA
  • ECDHE-ECDSA-RC4-SHA
  • ECDH-RSA-RC4-SHA
  • ECDH-ECDSA-RC4-SHA
  • RC4-SHA
  • RC4-MD5
  • PSK-RC4-SHA
  • KRB5-RC4-SHA
  • KRB5-RC4-MD5

Predefined Cipher Suites

Here is a list of the ciphers suites that are available for use with Load Balancing, along with the individual ciphers they include.

oci-default-ssl-cipher-suite-v1

This cipher suite contains a restricted set of ciphers that are only supported in TLS version 1.2, and meets stricter compliance requirements.

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
oci-modern-ssl-cipher-suite-v1

This cipher suite offer wider set of ciphers, but still only supported in TLS version 1.2.

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
oci-compatible-ssl-cipher-suite-v1

This cipher suite supports broadest set of ciphers. It contains ciphers supported by TLS versions 1.1 and 1.2.

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
oci-wider-compatible-ssl-cipher-suite-v1

This cipher suite contains all supported ciphers.

  • TLS version 1.2:
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES128-SHA256
    • ECDHE-RSA-AES128-SHA256
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-SHA384
    • ECDHE-RSA-AES256-SHA384
    • AES128-SHA256
    • AES256-GCM-SHA384
    • AES256-SHA256
    • DHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-SHA256
    • DHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-SHA256
    • DH-DSS-AES256-GCM-SHA384
    • DHE-DSS-AES256-GCM-SHA384
    • DH-RSA-AES256-GCM-SHA384
    • DHE-DSS-AES256-SHA256
    • DH-RSA-AES256-SHA256
    • DH-DSS-AES256-SHA256
    • ECDH-RSA-AES256-GCM-SHA384
    • ECDH-ECDSA-AES256-GCM-SHA384
    • ECDH-RSA-AES256-SHA384
    • ECDH-ECDSA-AES256-SHA384
    • DH-DSS-AES128-GCM-SHA256
    • DHE-DSS-AES128-GCM-SHA256
    • DH-RSA-AES128-GCM-SHA256
    • DHE-DSS-AES128-SHA256
    • DH-RSA-AES128-SHA256
    • DH-DSS-AES128-SHA256
    • ECDH-RSA-AES128-GCM-SHA256
    • ECDH-ECDSA-AES128-GCM-SHA256
    • ECDH-RSA-AES128-SHA256
    • ECDH-ECDSA-AES128-SHA256
  • TLS version 1.1:
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-ECDSA-AES256-SHA
    • ECDHE-RSA-AES128-SHA
    • ECDHE-RSA-AES256-SHA
    • AES128-GCM-SHA256
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
    • DHE-RSA-AES256-SHA
    • DHE-RSA-AES128-SHA
    • DHE-RSA-CAMELLIA256-SHA
    • DHE-RSA-CAMELLIA128-SHA
    • DHE-RSA-SEED-SHA
    • DHE-RSA-AES256-SHA
    • DHE-DSS-AES256-SHA
    • DH-RSA-AES256-SHA
    • DH-DSS-AES256-SHA
    • DHE-RSA-CAMELLIA256-SHA
    • DHE-DSS-CAMELLIA256-SHA
    • DH-RSA-CAMELLIA256-SHA
    • DH-DSS-CAMELLIA256-SHA
    • ECDH-RSA-AES256-SHA
    • ECDH-ECDSA-AES256-SHA
    • CAMELLIA256-SHA
    • PSK-AES256-CBC-SHA
    • DHE-RSA-AES128-SHA
    • DHE-DSS-AES128-SHA
    • DH-RSA-AES128-SHA
    • DH-DSS-AES128-SHA
    • DHE-RSA-CAMELLIA128-SHA
    • DHE-DSS-CAMELLIA128-SHA
    • DH-RSA-CAMELLIA128-SHA
    • DH-DSS-CAMELLIA128-SHA
    • ECDH-RSA-AES128-SHA
    • ECDH-ECDSA-AES128-SHA
    • CAMELLIA128-SHA
    • PSK-AES128-CBC-SHA
    • API SPEC
oci-customized-ssl-cipher-suite

This cipher suite reflects customized cipher tasks performed by Oracle on a client-specific basis prior to the general release of the cipher suite feature.

Managing Cipher Suites in Listeners and Backend Sets

When you create a load balancer, specifying the cipher suite is part of configuring the listener and the backend set. See Creating Load Balancers for more information.