Setting TLS Ciphers
The SafeNet Luna Network HSM uses a default set of cipher suites for Transport Layer Security (TLS) communications, such as client connections, remote PED connections, etc.
If the default list is not suitable, you can modify it. The cipher suite configuration allows you to choose which of the supported cipher suite(s) the appliance can use for TLS communications, and also the preferred order for their usage.
NOTE This feature requires appliance software version 7.2 and client 7.2. See Version Dependencies by Feature for more information.
You can change the list of TLS ciphers by listing them in the LunaSH command line in the order of desired priority (-list), or by creating a file containing this list and transferring it to the appliance admin files (-applytemplate). The following rules apply to both methods:
>You can use valid OpenSSL arguments to simplify your specifications, such as:
•kECDHE (cipher suites using ephemeral ECDH key agreement, in default order)
•kDHE (cipher suites using ephemeral DH key agreement, in default order)
•kRSA (cipher suites using RSA key exchange, in default order)
•ALL (all not-otherwise-specified ciphers, in default order)
>Ciphers or arguments in the list must be separated by colons (:). For example:
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ALL
>The list/template can contain a maximum of 255 characters, including colon separators. To avoid reaching this character limit:
•Specify only the ciphers you intend to use. It is not necessary to include the entire list.
•If you do wish to include the entire list, specify the most important ciphers first, and then use the ALL option to complete the list in the default remaining order.
NOTE Setting some of the stronger ciphers introduces additional overhead, which might affect performance.
To configure TLS ciphers for the appliance
1.[Optional] View the list of supported ciphers in the default priority order.
lunash:> sysconf tls ciphers show
The following cipher suites are available to configure TLS: Available Ciphers -------------------------------------------------- ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 The selected TLS cipher suites are used by the NTLS, STC outer tunnel, RBS, Ped vector Server/Client features TLS is using the following cipher suites: Cipher suites are listed from highest to lowest priority.
2.Set your desired list of ciphers, with either a list or template. If you are using a template, you must first transfer the file to the admin files using pscp or scp.
lunash:> sysconf tls ciphers set {-list <cipher_list> | -applytemplate <file name>}
lunash:>sysconf tls ciphers set -list ECDHE-RSA-AES128-GCM-SHA256:kDHE:ALL This operation will set the TLS cipher suites to use the following cipher suites: Cipher suites are listed from highest to lowest priority. Configured Ciphers (highest priority at top) -------------------------------------------------- ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 This operation will restart the TLS related services (NTLS, STCD, CBS). Type 'proceed' to set ciphers suites and restart TLS related services, or 'quit' to quit now. > proceed Restarting NTLS, STC and CBS services.... Done Command Result : 0 (Success)
3.[Optional] You can restore the default cipher list at any time.
lunash:>sysconf tls ciphers reset
This operation will set the TLS cipher suites to use the following cipher suites: Cipher suites are listed from highest to lowest priority. Configured Ciphers (highest priority at top) -------------------------------------------------- ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 This operation will restart the TLS related services (NTLS, STCD, CBS). Type 'proceed' to set ciphers suites and restart TLS related services, or 'quit' to quit now. > proceed Restarting NTLS, STC and CBS services.... Done Command Result : 0 (Success)