The set ssl_tls_ciphers command allows you to enable or disable the SSL/TLS ciphers for APACHE and SAML services only. You can enable any specific cipher suite or all the cipher suites. The default cipher suites are enabled in a specific order. However, you can change this default order. Note that you cannot disable all the cipher suites. At least one cipher suite must be enabled.

The default cipher suites are enabled in the following order:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA25
TLS_AES_128_CCM_8_SHA256
TLS_AES_128_CCM_SHA256

You can also enable the following cipher suites that are disabled by default:

TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

You can use the show ssl_tls_ciphers command to view the enabled SSL/TLS cipher suites. For information, see show ssl_tls_ciphers.

Syntax

set ssl_tls_ciphers enable suite_name [ position ]
set ssl_tls_ciphers disable position
set ssl_tls_ciphers enable_all

Argument	Description

Argument	Description
`enable`	Enables the cipher suites.
`suite_name`	Specifies the name of a particular cipher suite.
`all`	Enables all cipher suites.
`position`	Specifies the position of a cipher suite.
`disable`	Disables the cipher suites.

Examples

Enable all cipher suites

Infoblox > set ssl_tls_ciphers enable_all
All cipher suites were enabled
The following services need to be restarted manually: GUI

Enable a specific cipher suite

Infoblox > set ssl_tls_ciphers enable TLS_RSA_WITH_RC4_128_SHA 9
TLS_RSA_WITH_RC4_128_SHA was enabled
The following services need to be restarted manually: GUI

Disable a specific cipher suite

Infoblox > set ssl_tls_ciphers disable 8
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

The following services need to be restarted manually: GUI

Note

From NIOS 9.0.4:
- Disabling the last cipher suite for an enabled TLS protocol is not allowed.
- The set ssl_tls_ciphers CLI command cannot be used to enable/disable TLSv1.3 ciphers for SAML. By default, SAML service uses only the following three TLSv1.3 ciphers, if the TLSv1.3 protocol is enabled in NIOS.
  - TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256
  - TLS_AES_128_GCM_SHA256
- Apache/SAML service is not affected by enabling/disabling the TLS cipher suites of a disabled TLS Protocol.
Starting from NIOS 9.0, the weak ciphers(RC4 and 3DES for APACHE) and (RC4 and 3DES, and DHE for SAML) are deprecated.
It is recommended to avoid enabling only the following ciphers, as this will affect the APACHE/SAML services.
- RC4
  TLS_RSA_WITH_RC4_128_SHA
- 3DES
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
- DHE
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256