Setting TLS Ciphers

The SafeNet Luna Network HSM uses a default set of cipher suites for Transport Layer Security (TLS) communications, such as client connections, remote PED connections, etc.

If the default list is not suitable, you can modify it. The cipher suite configuration allows you to choose which of the supported cipher suite(s) the appliance can use for TLS communications, and also the preferred order for their usage.

NOTE   This feature requires appliance software version 7.2 and client 7.2. See Version Dependencies by Feature for more information.

You can change the list of TLS ciphers by listing them in the LunaSH command line in the order of desired priority (-list), or by creating a file containing this list and transferring it to the appliance admin files (-applytemplate). The following rules apply to both methods:

>You can use valid OpenSSL arguments to simplify your specifications, such as:

kECDHE (cipher suites using ephemeral ECDH key agreement, in default order)

kDHE (cipher suites using ephemeral DH key agreement, in default order)

kRSA (cipher suites using RSA key exchange, in default order)

ALL (all not-otherwise-specified ciphers, in default order)

>Ciphers or arguments in the list must be separated by colons (:). For example:

ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ALL

>The list/template can contain a maximum of 255 characters, including colon separators. To avoid reaching this character limit:

Specify only the ciphers you intend to use. It is not necessary to include the entire list.

If you do wish to include the entire list, specify the most important ciphers first, and then use the ALL option to complete the list in the default remaining order.

NOTE   Setting some of the stronger ciphers introduces additional overhead, which might affect performance.

To configure TLS ciphers for the appliance

1.[Optional] View the list of supported ciphers in the default priority order.

lunash:> sysconf tls ciphers show

The following cipher suites are available to configure TLS:

Available Ciphers
--------------------------------------------------
ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=RSA  Enc=AESGCM(256)  Mac=AEAD
ECDHE-RSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=RSA  Enc=AES(256)     Mac=SHA384
DHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=DH    Au=RSA  Enc=AESGCM(256)  Mac=AEAD
DHE-RSA-AES256-SHA256        TLSv1.2  Kx=DH    Au=RSA  Enc=AES(256)     Mac=SHA256
AES256-GCM-SHA384            TLSv1.2  Kx=RSA   Au=RSA  Enc=AESGCM(256)  Mac=AEAD
AES256-SHA256                TLSv1.2  Kx=RSA   Au=RSA  Enc=AES(256)     Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=RSA  Enc=AESGCM(128)  Mac=AEAD
ECDHE-RSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=RSA  Enc=AES(128)     Mac=SHA256
DHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=DH    Au=RSA  Enc=AESGCM(128)  Mac=AEAD
DHE-RSA-AES128-SHA256        TLSv1.2  Kx=DH    Au=RSA  Enc=AES(128)     Mac=SHA256
AES128-GCM-SHA256            TLSv1.2  Kx=RSA   Au=RSA  Enc=AESGCM(128)  Mac=AEAD
AES128-SHA256                TLSv1.2  Kx=RSA   Au=RSA  Enc=AES(128)     Mac=SHA256

The selected TLS cipher suites are used by the NTLS, STC outer tunnel, RBS, Ped vector Server/Client features
TLS is using the following cipher suites:
Cipher suites are listed from highest to lowest priority.

2.Set your desired list of ciphers, with either a list or template. If you are using a template, you must first transfer the file to the admin files using pscp or scp.

lunash:> sysconf tls ciphers set {-list <cipher_list> | -applytemplate <file name>}

lunash:>sysconf tls ciphers set -list ECDHE-RSA-AES128-GCM-SHA256:kDHE:ALL

This operation will set the TLS cipher suites to use the following cipher suites:
Cipher suites are listed from highest to lowest priority.

Configured Ciphers (highest priority at top)
--------------------------------------------------
ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=RSA  Enc=AESGCM(128)  Mac=AEAD
DHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=DH    Au=RSA  Enc=AESGCM(256)  Mac=AEAD
DHE-RSA-AES256-SHA256        TLSv1.2  Kx=DH    Au=RSA  Enc=AES(256)     Mac=SHA256
DHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=DH    Au=RSA  Enc=AESGCM(128)  Mac=AEAD
DHE-RSA-AES128-SHA256        TLSv1.2  Kx=DH    Au=RSA  Enc=AES(128)     Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=RSA  Enc=AESGCM(256)  Mac=AEAD
ECDHE-RSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=RSA  Enc=AES(256)     Mac=SHA384
AES256-GCM-SHA384            TLSv1.2  Kx=RSA   Au=RSA  Enc=AESGCM(256)  Mac=AEAD
AES256-SHA256                TLSv1.2  Kx=RSA   Au=RSA  Enc=AES(256)     Mac=SHA256
ECDHE-RSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=RSA  Enc=AES(128)     Mac=SHA256
AES128-GCM-SHA256            TLSv1.2  Kx=RSA   Au=RSA  Enc=AESGCM(128)  Mac=AEAD
AES128-SHA256                TLSv1.2  Kx=RSA   Au=RSA  Enc=AES(128)     Mac=SHA256

This operation will restart the TLS related services (NTLS, STCD, CBS).
Type 'proceed' to set ciphers suites and restart TLS related services, or 'quit'
    to quit now. > proceed

Restarting NTLS, STC and CBS services.... Done

Command Result : 0 (Success)

3.[Optional] You can restore the default cipher list at any time.

lunash:>sysconf tls ciphers reset

This operation will set the TLS cipher suites to use the following cipher suites:
Cipher suites are listed from highest to lowest priority.

Configured Ciphers (highest priority at top)
--------------------------------------------------
ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=RSA  Enc=AESGCM(256)  Mac=AEAD
ECDHE-RSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=RSA  Enc=AES(256)     Mac=SHA384
DHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=DH    Au=RSA  Enc=AESGCM(256)  Mac=AEAD
DHE-RSA-AES256-SHA256        TLSv1.2  Kx=DH    Au=RSA  Enc=AES(256)     Mac=SHA256
AES256-GCM-SHA384            TLSv1.2  Kx=RSA   Au=RSA  Enc=AESGCM(256)  Mac=AEAD
AES256-SHA256                TLSv1.2  Kx=RSA   Au=RSA  Enc=AES(256)     Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=RSA  Enc=AESGCM(128)  Mac=AEAD
ECDHE-RSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=RSA  Enc=AES(128)     Mac=SHA256
DHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=DH    Au=RSA  Enc=AESGCM(128)  Mac=AEAD
DHE-RSA-AES128-SHA256        TLSv1.2  Kx=DH    Au=RSA  Enc=AES(128)     Mac=SHA256
AES128-GCM-SHA256            TLSv1.2  Kx=RSA   Au=RSA  Enc=AESGCM(128)  Mac=AEAD
AES128-SHA256                TLSv1.2  Kx=RSA   Au=RSA  Enc=AES(128)     Mac=SHA256

This operation will restart the TLS related services (NTLS, STCD, CBS).
Type 'proceed' to set ciphers suites and restart TLS related services, or 'quit'
    to quit now. > proceed

Restarting NTLS, STC and CBS services.... Done

Command Result : 0 (Success)