#
# Licensed Materials - Property of IBM Corp.
# IBM UrbanCode Build
# IBM UrbanCode Deploy
# IBM UrbanCode Release
# IBM AnthillPro
# (c) Copyright IBM Corporation 2015. All Rights Reserved.
#
# U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by
# GSA ADP Schedule Contract with IBM Corp.
#
# Suggested Cipher Suites:
#  {key-exchange}_{authentication}_WITH_{bulk-cipher}_{message-authentication-hash}
#
# Names taken from https://docs.oracle.com/en/java/javase/15/docs/specs/security/standard-names.html#jsse-cipher-suite-names
#  and http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.71.doc/security-component/jsse2Docs/ciphersuites.html?lang=en
#
# Suites with NULL, DES, RC4 bulk-ciphers are not cryptographically secure.
# Suites with MD5 authentication-hash are not cryptographically secure
# Suites with anon authentication are not cryptographically secure.
# Suites with PSK, SRP key-exchange are not suitable due to required client setup.
# Suites with KRB5 are disabled by default in jvm, not suitable due to required client setup.
# Suites with 3DES are no longer considered secure due to block size limitation
#
# Modern TLS1.2 suites use PFS (perfect forward secrecy) key-exchange and AEAD (authenticated encryption) cipher.
#  PFS: ECDHE, DHE
#  AEAD: AES_*_GCM, ChaCha20-Poly1305
#
# We would prefer the following guidelines. JVM impl may differ in ordering, notably seems to penalize GCM:
#  ECDHE ephemeral key-exchange is preferred for perfect forward secrecy.
#  Elliptic Curve key-exchange is preferred over RSA for strength/efficiency.
#  AES is preferred (3DESede, DES, and RC4 are bad)
#  GCM is preferred over CBC due to its built-in authentication and parallelization friendly implementation
#  longer hashes are preferred

# signaling cipher suite value (SCSV) for secure re-negotiation of TLS connections rfc5746
EMPTY_RENEGOTIATION_INFO_SCSV

# SCSV sent by clients re-attempting with a downgraded protocol handshake rfc7507
# e.g. a server that supports TLSv1.2 would detect/reject a TLSv1.1 handshake containing this indicator
# Seems java is not going to impl this mitigation https://bugs.openjdk.java.net/browse/JDK-8061798
#FALLBACK_SCSV

# TLSv1.3 (all are PFS+AEAD)
AES_256_GCM_SHA384
CHACHA20_POLY1305_SHA256
AES_128_GCM_SHA256
AES_128_CCM_8_SHA256
AES_128_CCM_SHA256

# TLSv1.2 recommended ciphers
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

# PFS + AEAD
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_128_GCM_SHA256

DHE_RSA_WITH_AES_256_GCM_SHA384
DHE_DSS_WITH_AES_256_GCM_SHA384
DHE_RSA_WITH_AES_128_GCM_SHA256
DHE_DSS_WITH_AES_128_GCM_SHA256

# PFS + !AEAD
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE_RSA_WITH_AES_128_CBC_SHA

DHE_RSA_WITH_AES_256_CBC_SHA256
DHE_DSS_WITH_AES_256_CBC_SHA256
DHE_RSA_WITH_AES_128_CBC_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA256

# !PFS + AEAD
ECDH_ECDSA_WITH_AES_256_GCM_SHA384
ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ECDH_RSA_WITH_AES_256_GCM_SHA384
ECDH_RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_128_GCM_SHA256

# !PFS + !AEAD
ECDH_ECDSA_WITH_AES_256_CBC_SHA384
ECDH_ECDSA_WITH_AES_256_CBC_SHA
ECDH_ECDSA_WITH_AES_128_CBC_SHA256
ECDH_ECDSA_WITH_AES_128_CBC_SHA
ECDH_RSA_WITH_AES_256_CBC_SHA384
ECDH_RSA_WITH_AES_256_CBC_SHA
ECDH_RSA_WITH_AES_128_CBC_SHA256
ECDH_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA256
RSA_WITH_CAMELLIA_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA256


# Java 6 Compatibility - still may be considered secure, though protocols may not be preferred
#   https://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html
#   Diffie-Hellman key pair generation supported key sizes up to 2048 bits since Java SE 6u105.
#     Prior to Java SE 6u105, the default DH key size was 1024.
#
# As of 2020:
# - RSA NIST recommends 2048-bit keys
# - DH and DHE are secure when using 1024-bit (strong guidance for 2048)
# - AES 128/256 is considered unbroken
# - CBC is subject to BEAST under TLS 1.0, java6 is out of luck here
# - SHA1 is still considered to be secure when used as TLS MAC
#    (deprecation is with other usage and out of an abundance of caution)
#
DHE_RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
DHE_DSS_WITH_AES_128_CBC_SHA
DHE_DSS_WITH_AES_256_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
