cipher_list
Specifies a list of ciphers to be used by the TLS connector.
cipher_list | cpr_lst= {Keyword}{:} {!}
{CipherList}
Arguments
- Keyword—valid values are:
DEFAULT: default list of ciphers for the encryption mode.ALL: all enabled ciphers.HIGH: list of ciphers offering the highest security.MEDIUM: list of ciphers offering only medium level security.LOW: list of ciphers offering only low level security.
Specify only one keyword; or specify the keyword
DEFAULT,ALLorHIGH, followed by ciphers to be added or removed. To remove a cipher, precede it by an exclamation mark (!) - CipherList— colon-separated list of ciphers. If specified, the TLS connector uses only these ciphers.
Use
This option can be set in the assignment files of both TLS servers (Uniface Routers and exclusive Uniface Servers) and TLS clients (client applications and shared Uniface Servers).
Description
OpenSSL (which is used by the TLS connector) supports many ciphers that can potentially be used with certificates. During the initial TLS handshake, the client and the server negotiate which cipher to use to encrypt the communication. The most secure cipher supported by both peers is used, but if you supply your own list, the first common cipher in the list is used.
You can use the cipher_list option to limit the supported ciphers to a particular group of ciphers or even to a specify ciphers by name.
If you do not specify cipher_list, the TLS connector only uses the HIGH-level ciphers from OpenSSL's default list.
For more information, see Ciphers Supported by the TLS Connector.
Using cipher_list
- Enable all ciphers OpenSLL supports except RC4
and EXT ciphers:
cipher_list=ALL:!RC4:!EXT
- Enable only one cipher:
cipher_list=ECDHE-RSA-AES256-GCM-SHA384
Note: In this case, you must make sure that the cipher is also included in the cipher list of the peer. Otherwise, you will get the error
No matching cipher.
