Apigee is retiring TLS 1.0 and TLS 1.1 protocols on June 18th, 2018.
https://docs.apigee.com/release/notes/tls-retirement
Documentation for Virtual Host “ssl_ciphers” property does not provide a definitive list of valid values, it merely states valid openssl values can be used from the openssl man page.
https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
As a Cloud Edge Orgadmin, I need to know the valid SSL cipher values to configure Virtual Hosts to use TLS 1.2 values so I can test my Apps before the TLS retirement on June 18th.
Based on empirical analysis, the valid individual values (one value in ssl_ciphers property) in a paid org deployed in Amazon us-east-1 and eu-west-1 using curl as the test client are:
AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384
NOTE: See very end of this document for Virtual Host management API call using these values.
Org: paid org
Env: test
Deployment - Public Cloud - Amazon us-east-1 and eu-west-1
Procedure:
Configure Virtual Host with all possible values both as aggregate values and as single value.
Run curl with --tlsv1.0, --tlsv1.1 and tlsv1.2
The following command can be used to get the list of ciphers suite names:
openssl ciphers -v -tls1 | grep TLSv1.2 | sort | cut -d ' ' -f1 AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 <omitted for brevity - see test result for complete list>
In addition, the “cipher strings” (e.g. HIGH) and the cipher suite values from the “TLS v1.2 cipher suites” section (right hand column) can be used from the openssl man page here:
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
ADH-AES128-GCM-SHA256 ADH-AES128-SHA256 ADH-AES256-GCM-SHA384 ADH-AES256-SHA256 <omitted for brevity - see test result for complete list>
NOTE: there are differences in each list.
Given the “valid” values from above, each unique value was used to set a single value for the "ssl_cipher" property.
These curl commands will work:
curl -v --tlsv1.2 {PROXY-URL}
curl -v --tlsv1 {PROXY-URL} - uses 1.2
And these will fail:
curl -v --tlsv1.0 {PROXY-URL}
curl -v --tlsv1.1 {PROXY-URL}
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
curl -X PUT \ https://api.enterprise.apigee.com/v1/organizations/{{ORG}}/environments/{{ENV}}/virtualhosts/secure \ ... "properties": { "property": [ { "name": "ssl_ciphers", "value": "NULL-SHA256" } ] }, ... }'
Test Results
AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 CAMELLIA128-SHA256 - Not accepted CAMELLIA256-SHA256 - Not accepted DHE-DSS-AES128-GCM-SHA256 - Accepted but doesnt work DHE-DSS-AES128-SHA256 - Accepted but doesnt work DHE-DSS-AES256-GCM-SHA384 - Accepted but doesnt work DHE-DSS-AES256-SHA256 - Accepted but doesnt work DHE-DSS-CAMELLIA128-SHA256 - Not accepted DHE-DSS-CAMELLIA256-SHA256 - Not accepted DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA128-SHA256 - Not accepted DHE-RSA-CAMELLIA256-SHA256 - Not accepted DHE-RSA-CHACHA20-POLY1305 - Not accepted ECDH-ECDSA-AES128-GCM-SHA256 - Accepted but doesnt work ECDH-ECDSA-AES128-SHA256 - Accepted but doesnt work ECDH-ECDSA-AES256-GCM-SHA384 - Accepted but doesnt work ECDH-ECDSA-AES256-SHA384 - Accepted but doesnt work, hangs curl ECDH-RSA-AES128-GCM-SHA256 - Accepted but doesnt work ECDH-RSA-AES128-SHA256 - Not accepted ECDH-RSA-AES256-GCM-SHA384 - Accepted but doesnt work ECDH-RSA-AES256-SHA384 - Accepted but doesnt work ECDHE-ECDSA-AES128-GCM-SHA256 - Accepted but doesnt work ECDHE-ECDSA-AES128-SHA256 - Accepted but doesnt work ECDHE-ECDSA-AES256-GCM-SHA384 - Accepted but doesnt work ECDHE-ECDSA-AES256-SHA384 - Accepted but doesnt work ECDHE-ECDSA-CHACHA20-POLY1305 - Not accepted ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-CHACHA20-POLY1305 - Not accepted Additional values from man page section DH-AES128-GCM-SHA256 - Accepted but doesnt work ADH-AES128-SHA256 - Accepted but doesnt work ADH-AES256-GCM-SHA384 - Accepted but doesnt work ADH-AES256-SHA256 - Accepted but doesnt work DH-DSS-AES128-GCM-SHA256 - Accepted but doesnt work DH-DSS-AES128-SHA256 - Accepted but doesnt work DH-DSS-AES256-GCM-SHA384 - Accepted but doesnt work DH-DSS-AES256-SHA256 - Accepted but doesnt work DH-RSA-AES128-GCM-SHA256 - Accepted but doesnt work DH-RSA-AES128-SHA256 - Accepted but doesnt work DH-RSA-AES256-GCM-SHA384 - Accepted but doesnt work DH-RSA-AES256-SHA256 - Accepted but doesnt work NULL-SHA256 - Accepted but doesnt work
curl -X PUT \ https://api.enterprise.apigee.com/v1/organizations/{{ORG}}/environments/{{ENV}}/virtualhosts/secure \ -H 'accept: application/json' \ -H 'authorization: Basic ******' \ -H 'content-type: application/json' \ -d '{ "hostAliases": [ "{{ORG}}-{{ENV}}.apigee.net" ], "interfaces": [], "listenOptions": [], "name": "secure", "port": "443", "properties": { "property": [ { "name": "ssl_ciphers", "value": "AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384" } ] }, "retryOptions": [], "sSLInfo": { "ciphers": [], "clientAuthEnabled": "false", "enabled": "true", "ignoreValidationErrors": false, "keyAlias": "freetrial", "keyStore": "ref://freetrialref", "protocols": [] } }'
end.