Cipher Suites
When you configure a TLS context, default ciphers are applied to it based on the TLS version you selected. If you don’t use the defaults, you can select ciphers that match the configured keystore to ensure that TLS can set up a connection:
-
For a keystore with an RSA key (the most common type), select ciphers that contain the string
RSA
. -
If you are using ECC ciphers, select ciphers that contain the string
ECDSA
.
Consult TLS standards and documentation for more information. -
If a client device supports AES-dedicated CPU instructions, use the AES-GCM ciphers.
If the client does not support AES-dedicated instructions (some mobile and IoT devices), the client negotiates to useCHACHA20-POLY1305
. It takes two (client and server) to perform the CHACHA.
TLS 1.3 Cipher Suites
TLS 1.3 support is available only if you are using the Anypoint Security target.
The cipher suites for TLS 1.3 are listed with those of TLS 1.2 and TLS 1.1 and appear in the No known vulnerabilities and support Perfect Forward Secrecy grouping. When you use cipher suites that start with the string TLS
, keep in mind the following:
-
The new cipher suites for TLS 1.3 cannot be used with TLS 1.1 and TLS 1.2.
-
The cipher suites for TLS 1.2 and TLS 1.1 cannot be used for TLS 1.3.
-
The new cipher suites for TLS 1.3 are defined differently from the cipher suites for earlier versions of TLS and do not specify the certificate type (for example, RSA, DSA, ECDSA) or the key exchange mechanism (for example, DHE or ECHDE).
Select Ciphers
In addition to the defaults, you can select other ciphers to use with the selected TLS version. Each TLS context can have multiple ciphers.
-
Click Ciphers to select available ciphers.
If you select a TLS Version value of TLS 1.3, keep the default selection, which includes all three of the TLS cipher suites. -
If you selected Mule as the Target value for the TLS context, you can define custom ciphers to use with your proxy instance.
-
Click Save.
If you add a cipher that’s not supported by the Java runtime, you receive a warning, but this does not prevent you from saving the TLS context.
TLS Support on Anypoint Runtime Fabric
The TLS 1.3 protocol is enabled by default for those clients that support it.
OpenSSL 1.1.1 and TLS 1.3 provide the following security enhancements and performance improvements over TLS 1.2:
-
Double or more than double TLS 1.2 connection performance throughput boost over an earlier Runtime Fabric internal load balancer running on OpenSSL 1.0.2
-
Reduction of one round trip in a full handshake
-
Added TLS 1.2 and TLS 1.3 ChaCha20-Poly1305 ciphers for better mobile and IoT device support
-
Protection against downgrade attacks
-
Continued support for both RSA and ECDSA keys
-
Removal of obsolete and insecure features from TLS 1.2 and TLS 1.1.
See Anypoint Security Edge Release Notes for a list of supported and deprecated ciphers.