# Cipher Suites & TLS Versions Connectware secures communications through Transport Layer Security (TLS) and mutual TLS (mTLS) protocols across its key components: **Ingress**, **Broker**, and **Control Plane**. This guide lists the supported cipher suites and TLS versions for each component, enabling you to implement secure communication channels in your industrial IoT deployments. A strong TLS configuration is critical for securing data transmissions, verifying endpoint identities, and meeting security compliance requirements. ## Insecure Cipher Suites When configuring TLS for Connectware components, it is critical to avoid insecure cipher suites. These may include ciphers with known vulnerabilities, outdated algorithms, or insufficient key lengths that could compromise your communication security. For maximum protection, avoid using ciphers that lack Perfect Forward Secrecy, use deprecated encryption algorithms, employ vulnerable modes such as CBC, or implement weak hash functions. We strongly recommend using only the modern cipher suites documented in this guide for all Connectware components. {% hint style="danger" %} By default, Connectware does not allow the usage of insecure cipher suites. If you need to use insecure cipher suites, you must set the `CYBUS_ALLOW_INSECURE_TLS_CIPHERS` environment variables to `true`. For more information, see [Environment Variables](https://docs.cybus.io/2-0-2/documentation/environment-variables). {% endhint %} ## Ingress (443/TCP) Cipher Suites ### Supported TLS Versions * TLS 1.2 * TLS 1.3 ### Supported TLS Ciphers Ingress in Connectware supports the following TLS versions and cipher suites. All supported cipher suites provide 'A' grade security strength. Cipher preference is server-controlled for TLS 1.2 and client-controlled for TLS 1.3. Only null compression is supported, enhancing security by avoiding compression-related vulnerabilities. **TLS 1.2 Supported Cipher Suites** | Cipher Suite | Key Length & Elliptic Curve Parameters | | --------------------------------------------- | ------------------------------------------ | | `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA, X25519 | | `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA, X25519 | | `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | 256-bit ChaCha20, 256-bit Poly1305, X25519 | **TLS 1.3 Supported Cipher Suites** | Cipher Suite | Key Length & Elliptic Curve Parameters | | ------------------------------ | ------------------------------------------ | | `TLS_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA, X25519 | | `TLS_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA, X25519 | | `TLS_CHACHA20_POLY1305_SHA256` | 256-bit ChaCha20, 256-bit Poly1305, X25519 | ## Broker (8883/TCP) Cipher Suites ### Supported TLS Versions * TLS 1.2 ### Supported TLS Ciphers The MQTT broker in Connectware supports the following TLS version and cipher suites: **TLS 1.2 Supported Cipher Suites** | Cipher Suite | Key Length & Elliptic Curve Parameters | | --------------------------------------- | --------------------------------------------------- | | `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` | 128-bit AES, 160-bit SHA1, SECP256R1 (NIST P-256) | | `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` | 128-bit AES, 256-bit SHA256, SECP256R1 (NIST P-256) | | `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA256, SECP256R1 (NIST P-256) | | `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` | 256-bit AES, 160-bit SHA1, SECP256R1 (NIST P-256) | | `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384` | 256-bit AES, 384-bit SHA384, SECP256R1 (NIST P-256) | | `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA384, SECP256R1 (NIST P-256) | | `TLS_RSA_WITH_AES_128_CBC_SHA` | 128-bit AES, 160-bit SHA1, RSA 2048-bit | | `TLS_RSA_WITH_AES_128_CBC_SHA256` | 128-bit AES, 256-bit SHA256, RSA 2048-bit | | `TLS_RSA_WITH_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA256, RSA 2048-bit | | `TLS_RSA_WITH_AES_256_CBC_SHA` | 256-bit AES, 160-bit SHA1, RSA 2048-bit | | `TLS_RSA_WITH_AES_256_CBC_SHA256` | 256-bit AES, 256-bit SHA256, RSA 2048-bit | | `TLS_RSA_WITH_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA384, RSA 2048-bit | All supported cipher suites provide 'A' grade security strength. Cipher preference is client-controlled. Only null compression is supported, enhancing security by avoiding compression-related vulnerabilities. ## Control Streaming Server Cipher Suites ### Supported TLS Versions * TLS 1.2 * TLS 1.3 ### Supported TLS Ciphers Control Streaming Server in Connectware supports the following TLS versions and cipher suites: **TLS 1.2 Supported Cipher Suites** | Cipher Suite | Key Length & Elliptic Curve Parameters | | ----------------------------------------- | -------------------------------------------------------------------- | | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA, usually `secp256r1` (NIST P-256) for ECDSA | | `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA, usually `secp256r1` (NIST P-256) for ECDHE | | `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305` | 256-bit ChaCha20, 256-bit Poly1305, usually `secp256r1` or `x25519` | | `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305` | 256-bit ChaCha20, 256-bit Poly1305, usually `secp256r1` or `x25519` | | `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA, usually `secp384r1` (NIST P-384) for ECDSA | | `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA, usually `secp384r1` (NIST P-384) for ECDHE | **TLS 1.3 Supported Cipher Suites** | Cipher Suite | Key Length & Elliptic Curve Parameters | | ------------------------------ | ------------------------------------------------------------------------- | | `TLS_AES_128_GCM_SHA256` | 128-bit AES, 256-bit SHA, typically `x25519` or `secp256r1` | | `TLS_AES_256_GCM_SHA384` | 256-bit AES, 384-bit SHA, typically `x25519`, `secp256r1`, or `secp384r1` | | `TLS_CHACHA20_POLY1305_SHA256` | 256-bit ChaCha20, 256-bit Poly1305, typically `x25519` |