TLS ciphers

To ensure a high-security Transport Layer Security (TLS) deployment by default, TLS ciphers are enabled for use by clients and servers according to software standards.

About this task

The TLS ciphers enabled by default are:

TLS v1.2

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA8)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0XC030)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA9)
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0XC02C)
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0XC02B)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCAA)
Notes:
  • On Windows, the TLS library does not support the cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCAA), so it is excluded from use on this platform.
  • These ciphers are not allowed by the TLS library on Windows when the FIPS mode is enabled. By default, the FIPS mode is enabled on Windows.
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLS v1.3:

  • TLS_AES_256_GCM_SHA384 (0x1302)
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303)
  • TLS_AES_128_GCM_SHA256 (0x1301)

Instructions for configuring cipher list

A unified mechanism allows you to override the default list of accepted ciphers by creating a configuration file specifying the desired ciphers. To set-up the cipher list, follow these instructions:

  • File location and naming: The configuration file must be named tls_custom_ciphers.conf and placed in the following path:

    On Windows: C:\Program Files\ClearCase\DevOps\Code\var\config\tls_custom_ciphers.conf

    On Unix: /var/adm/rational/clearcase/config/tls_custom_ciphers.conf

  • File Permissions: The file should have permissions that allow the administrator to write to it and all users to read it.
  • File Format and Syntax:
    • The cipher list must begin with a predefined tag indicating the TLS version, such as tls_1_2_ciphers, or tls_1_3_ciphers.
    • Cipher names must be comma-separated.
    • Only Request for Comments (RFC)-compliant cipher names are allowed.
    • Lines starting with # (comments) and blank lines will be ignored.
    • The file might contain both tls_1_2_ciphers, and tls_1_3_ciphers tags, but only one entry per tag is allowed.
    • Multiple entries for the same tag results in an error.
    • Invalid, unknown, or empty tags also cause errors.
    • An empty configuration file is considered invalid and results in an error.
      A valid configuration file should contain the following format:
      # Cipher Config File
# TLS 1.2
tls_1_2_ciphers,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

# TLS 1.3
tls_1_3_ciphers,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256