HTTPS protocol and cipher configuration

The HTTPS protocol and cipher configuration determines the specific HTTPS protocols and cipher suites that are used to encrypt communications with the Secure Gateway. The available settings are Modern 2022, Modern 2024 (strongest security), Intermediate 2022, Intermediate 2024 (default), and Custom. The 2022 suites cannot be applied to servers running WFO 2024.

HTTPS Protocol and Cipher Configuration settings for the Secure Gateway

The following Protocols and Ciphers are supported when configuring SSL in the Enterprise Manager:

Setting

TLS

protocols

Ciphers

Comments

Modern 2024

  • TLS 1.3

TLS v1.3 Ciphers:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

Most secure option for servers running WFO 2024R1.

Cannot be used on servers running WFO 2022R1 or earlier.

TLS 1.3 is supported from windows server 2022. All servers must be on windows 2022 to take advantage of Modern 2024.

TLS 1.3 is supported from SQL Server version 2022 and must be on Cumulative Update 1 or later.

Modern 2022

 

  • TLS 1.3

  • TLS 1.2

TLS v1.3 Ciphers:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

TLS v1.2 Ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • Required for Windows 2012 R2:

    • ECDHE-RSA-AES256-SHA384

    • ECDHE-RSA-AES128-SHA256

Most secure option for servers running WFO 2022R1.

This option was named Modern in WFO 2022R1 and earlier.

Intermediate 2024

  • TLS 1.3

  • TLS 1.2

TLS v1.3 Ciphers:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

TLS v1.2 Ciphers:

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Does not include ciphers for Windows 2012R2.

Intermediate 2022

NOTE: This option was formerly named Intermediate.

  • TLS 1.3

  • TLS 1.2

  • TLS 1.1

  • TLS 1.0

TLS v1.3 Ciphers:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

TLS v1.0, TLS v1.1 and TLS v1.2 Ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

  • AES128-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

This option was named Intermediate in WFO 2022R1 and earlier.

It can be applied to servers running WFO 2024R1, 2022R1, or earlier.

Custom

Only used by technical support for troubleshooting.

Related information

Cipher Suites in TLS/SSL (Schannel SSP) (Microsoft)

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (Microsoft)