Cipher Suites & TLS Versions
Learn about the cipher suites and TLS versions supported by Cybus Connectware components to ensure secure communications.
Last updated
Was this helpful?
Connectware 1.11.0
Learn about the cipher suites and TLS versions supported by Cybus Connectware components to ensure secure communications.
Last updated
Was this helpful?
Cybus Connectware secures communications through Transport Layer Security (TLS) and mutual TLS (mTLS) protocols across its key components: Ingress, Broker, and Control Plane.
This guide lists the supported cipher suites and TLS versions for each component, enabling you to implement secure communication channels in your industrial IoT deployments. A strong TLS configuration is critical for securing data transmissions, verifying endpoint identities, and meeting security compliance requirements.
When configuring TLS for Cybus Connectware components, it is critical to avoid insecure cipher suites. These may include ciphers with known vulnerabilities, outdated algorithms, or insufficient key lengths that could compromise your communication security.
For maximum protection, avoid using ciphers that lack Perfect Forward Secrecy, use deprecated encryption algorithms, employ vulnerable modes such as CBC, or implement weak hash functions. We strongly recommend using only the modern cipher suites documented in this guide for all Connectware components.
By default, Connectware does not allow the usage of insecure cipher suites. If you need to use insecure cipher suites, you must set the CYBUS_ALLOW_INSECURE_TLS_CIPHERS environment variables to true. For more information, see .
TLS 1.2
TLS 1.3
Ingress in Cybus Connectware supports the following TLS versions and cipher suites.
All supported cipher suites provide 'A' grade security strength. Cipher preference is server-controlled for TLS 1.2 and client-controlled for TLS 1.3. Only null compression is supported, enhancing security by avoiding compression-related vulnerabilities.
TLS 1.2 Supported Cipher Suites
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA, X25519
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA, X25519
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
256-bit ChaCha20, 256-bit Poly1305, X25519
TLS 1.3 Supported Cipher Suites
TLS_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA, X25519
TLS_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA, X25519
TLS_CHACHA20_POLY1305_SHA256
256-bit ChaCha20, 256-bit Poly1305, X25519
TLS 1.2
The MQTT broker in Cybus Connectware supports the following TLS version and cipher suites:
TLS 1.2 Supported Cipher Suites
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
128-bit AES, 160-bit SHA1, SECP256R1 (NIST P-256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
128-bit AES, 256-bit SHA256, SECP256R1 (NIST P-256)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA256, SECP256R1 (NIST P-256)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
256-bit AES, 160-bit SHA1, SECP256R1 (NIST P-256)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
256-bit AES, 384-bit SHA384, SECP256R1 (NIST P-256)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA384, SECP256R1 (NIST P-256)
TLS_RSA_WITH_AES_128_CBC_SHA
128-bit AES, 160-bit SHA1, RSA 2048-bit
TLS_RSA_WITH_AES_128_CBC_SHA256
128-bit AES, 256-bit SHA256, RSA 2048-bit
TLS_RSA_WITH_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA256, RSA 2048-bit
TLS_RSA_WITH_AES_256_CBC_SHA
256-bit AES, 160-bit SHA1, RSA 2048-bit
TLS_RSA_WITH_AES_256_CBC_SHA256
256-bit AES, 256-bit SHA256, RSA 2048-bit
TLS_RSA_WITH_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA384, RSA 2048-bit
All supported cipher suites provide 'A' grade security strength. Cipher preference is client-controlled. Only null compression is supported, enhancing security by avoiding compression-related vulnerabilities.
TLS 1.2
TLS 1.3
Control Plane in Cybus Connectware supports the following TLS versions and cipher suites:
TLS 1.2 Supported Cipher Suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA, usually secp256r1 (NIST P-256) for ECDSA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA, usually secp256r1 (NIST P-256) for ECDHE
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
256-bit ChaCha20, 256-bit Poly1305, usually secp256r1 or x25519
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
256-bit ChaCha20, 256-bit Poly1305, usually secp256r1 or x25519
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA, usually secp384r1 (NIST P-384) for ECDSA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA, usually secp384r1 (NIST P-384) for ECDHE
TLS 1.3 Supported Cipher Suites
TLS_AES_128_GCM_SHA256
128-bit AES, 256-bit SHA, typically x25519 or secp256r1
TLS_AES_256_GCM_SHA384
256-bit AES, 384-bit SHA, typically x25519, secp256r1, or secp384r1
TLS_CHACHA20_POLY1305_SHA256
256-bit ChaCha20, 256-bit Poly1305, typically x25519