Tech Tips - Cipher Control (New Feature)
Cipher control feature was introduced in the feature release firmware version 220.127.116.11 and available on all firmware versions post that. It can be used to allow or block any or all TLS and SSH ciphers. This functionality applies to:
• DPI-SSL (TLS traffic inspected by the firewall)
• HTTPS MGMT (TLS sessions accessing the firewall)
• SSL Control (inspect TLS traffic passing through the firewall: (non DPI-SSL)
Any change to the TLS ciphers applies to all TLS traffic.
The list of ciphers displayed in the Firewall Settings -> Cipher Control page are a list of known TLS ciphers. The list of ciphers is a super set of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed in Firewall Settings -> Cipher Control.
The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Firewall Settings > Cipher Control; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in Firewall Settings -> Cipher Control. The same is true for HTTPS MGMT ciphers.
We have around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.
The SSH Ciphers page of MANAGE | Security Configuration -> Firewall Settings -> Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.
I hope that helps!
Technical Support Advisor, Premier Services