The Luna Network HSM 7 uses a default set of cipher suites for Transport Layer Security (TLS) communications, such as client connections, remote PED connections, etc.
If the default list is not suitable, you can modify it. The cipher suite configuration allows you to choose which of the supported cipher suite(s) the appliance can use for TLS communications, and also the preferred order for their usage.
Luna Appliance Software 7.8.3 and newer and Luna HSM Client 10.6.0 and newer (Windows and Linux)
Luna Appliance Software 7.8.3 adds support for TLS version 1.3, and expands the ability to configure cipher suites for use with NTLS, STC, and CBS (callback service for PED Client and Remote PED server).
AIX clients require Luna HSM Client 10.7.0 or newer to use TLS 1.3 ciphers.
Characteristics and behavior
TLS cipher settings are reset when the appliance is reimaged with sysconf reimage.
TLS cipher settings are preserved when the appliance is updated with package update.
TLS cipher settings are backed up and restored by sysconf config backup and sysconf config restore -service ntls.
TLS cipher settings are reset to default settings when sysconf config factoryReset -service ntls is performed.
The commands sysconf tls ciphers set and sysconf tls ciphers reset can be run by the appliance admin user (or a custom role that has admin access) only.
The command sysconf tls ciphers show can be run by any of appliance admin, operator, or monitor users.
TLS Ciphers Available to Configure
Using Luna Appliance Software 7.8.3 or newer, TLS 1.3 ciphers are added to the list of available TLS ciphers.
| TLS_AES_256_GCM_SHA384 | TLSv1.3 |
| TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 |
| TLS_AES_128_GCM_SHA256 | TLSv1.3 |
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 |
| DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 |
| DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES256-SHA384 | TLSv1.2 |
| DHE-RSA-AES256-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES128-SHA256 | TLSv1.2 |
| DHE-RSA-AES128-SHA256 | TLSv1.2 |
| AES256-GCM-SHA384 | TLSv1.2 |
| AES128-GCM-SHA256 | TLSv1.2 |
| AES256-SHA256 | TLSv1.2 |
| AES128-SHA256 | TLSv1.2 |
Luna Appliance Software 7.2.0 to 7.8.1 and Luna HSM Client 7.2.0 to 10.5.0
NOTE This feature requires minimum Luna Appliance Software 7.2.0 and Luna HSM Client 7.2.0.
You can change the list of TLS ciphers by listing them in the LunaSH command line in the order of desired priority (-list), or by creating a file containing this list and transferring it to the appliance admin files (-applytemplate). The following rules apply to both methods:
>You can use valid OpenSSL arguments to simplify your specifications, such as:
•kECDHE (cipher suites using ephemeral ECDH key agreement, in default order)
•kDHE (cipher suites using ephemeral DH key agreement, in default order)
•kRSA (cipher suites using RSA key exchange, in default order)
•ALL (all not-otherwise-specified ciphers, in default order)
>Ciphers or arguments in the list must be separated by colons (:).
For example:
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ALL
>The list/template can contain a maximum of 255 characters, including colon separators. To avoid reaching this character limit:
•Specify only the ciphers you intend to use. It is not necessary to include the entire list.
•If you do wish to include the entire list, specify the most important ciphers first, and then use the ALL option to complete the list in the default remaining order.
NOTE Setting some of the stronger ciphers introduces additional overhead, which might affect performance.
To configure TLS ciphers for the appliance
1.[Optional] View the list of supported ciphers in the default priority order.
lunash:> sysconf tls ciphers show
The following cipher suites are available to configure TLS: Available Ciphers -------------------------------------------------- ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 The selected TLS cipher suites are used by the NTLS, STC outer tunnel, RBS, Ped vector Server/Client features TLS is using the following cipher suites: Cipher suites are listed from highest to lowest priority.
2.Set your desired list of ciphers, with either a list or template. If you are using a template, you must first transfer the file to the admin files using pscp or scp.
lunash:> sysconf tls ciphers set {-list <cipher_list> | -applytemplate <file name>}
lunash:>sysconf tls ciphers set -list ECDHE-RSA-AES128-GCM-SHA256:kDHE:ALL This operation will set the TLS cipher suites to use the following cipher suites: Cipher suites are listed from highest to lowest priority. Configured Ciphers (highest priority at top) -------------------------------------------------- ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 This operation will restart the TLS related services (NTLS, STCD, CBS). Type 'proceed' to set ciphers suites and restart TLS related services, or 'quit' to quit now. > proceed Restarting NTLS, STC and CBS services.... Done Command Result : 0 (Success)
3.[Optional] You can restore the default cipher list at any time.
lunash:>sysconf tls ciphers reset
This operation will set the TLS cipher suites to use the following cipher suites:
Cipher suites are listed from highest to lowest priority.
Configured Ciphers (highest priority at top)
--------------------------------------------------
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
This operation will restart the TLS related services (NTLS, STCD, CBS).
Type 'proceed' to set ciphers suites and restart TLS related services, or 'quit'
to quit now. > proceed
Restarting NTLS, STC and CBS services.... Done
Command Result : 0 (Success)
