Contact Uscybus.io

Cipher Suites & TLS Versions

Learn about the cipher suites and TLS versions supported by Cybus Connectware components to ensure secure communications.

Cybus Connectware secures communications through Transport Layer Security (TLS) and mutual TLS (mTLS) protocols across its key components: Ingress, Broker, and Control Plane.

This guide lists the supported cipher suites and TLS versions for each component, enabling you to implement secure communication channels in your industrial IoT deployments. A strong TLS configuration is critical for securing data transmissions, verifying endpoint identities, and meeting security compliance requirements.

Insecure Cipher Suites

When configuring TLS for Cybus Connectware components, it is critical to avoid insecure cipher suites. These may include ciphers with known vulnerabilities, outdated algorithms, or insufficient key lengths that could compromise your communication security.

For maximum protection, avoid using ciphers that lack Perfect Forward Secrecy, use deprecated encryption algorithms, employ vulnerable modes such as CBC, or implement weak hash functions. We strongly recommend using only the modern cipher suites documented in this guide for all Connectware components.

By default, Connectware does not allow the usage of insecure cipher suites. If you need to use insecure cipher suites, you must set the CYBUS_ALLOW_INSECURE_TLS_CIPHERS environment variables to true. For more information, see Environment Variables.

Ingress (443/TCP) Cipher Suites

Supported TLS Versions

  • TLS 1.2

  • TLS 1.3

Supported TLS Ciphers

Ingress in Cybus Connectware supports the following TLS versions and cipher suites.

All supported cipher suites provide 'A' grade security strength. Cipher preference is server-controlled for TLS 1.2 and client-controlled for TLS 1.3. Only null compression is supported, enhancing security by avoiding compression-related vulnerabilities.

TLS 1.2 Supported Cipher Suites

Cipher Suite
Key Length & Elliptic Curve Parameters

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA, X25519

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA, X25519

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

256-bit ChaCha20, 256-bit Poly1305, X25519

TLS 1.3 Supported Cipher Suites

Cipher Suite
Key Length & Elliptic Curve Parameters

TLS_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA, X25519

TLS_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA, X25519

TLS_CHACHA20_POLY1305_SHA256

256-bit ChaCha20, 256-bit Poly1305, X25519

Broker (8883/TCP) Cipher Suites

Supported TLS Versions

  • TLS 1.2

Supported TLS Ciphers

The MQTT broker in Cybus Connectware supports the following TLS version and cipher suites:

TLS 1.2 Supported Cipher Suites

Cipher Suite
Key Length & Elliptic Curve Parameters

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

128-bit AES, 160-bit SHA1, SECP256R1 (NIST P-256)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

128-bit AES, 256-bit SHA256, SECP256R1 (NIST P-256)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA256, SECP256R1 (NIST P-256)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

256-bit AES, 160-bit SHA1, SECP256R1 (NIST P-256)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

256-bit AES, 384-bit SHA384, SECP256R1 (NIST P-256)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA384, SECP256R1 (NIST P-256)

TLS_RSA_WITH_AES_128_CBC_SHA

128-bit AES, 160-bit SHA1, RSA 2048-bit

TLS_RSA_WITH_AES_128_CBC_SHA256

128-bit AES, 256-bit SHA256, RSA 2048-bit

TLS_RSA_WITH_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA256, RSA 2048-bit

TLS_RSA_WITH_AES_256_CBC_SHA

256-bit AES, 160-bit SHA1, RSA 2048-bit

TLS_RSA_WITH_AES_256_CBC_SHA256

256-bit AES, 256-bit SHA256, RSA 2048-bit

TLS_RSA_WITH_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA384, RSA 2048-bit

All supported cipher suites provide 'A' grade security strength. Cipher preference is client-controlled. Only null compression is supported, enhancing security by avoiding compression-related vulnerabilities.

Control Plane Cipher Suites

Supported TLS Versions

  • TLS 1.2

  • TLS 1.3

Supported TLS Ciphers

Control Plane in Cybus Connectware supports the following TLS versions and cipher suites:

TLS 1.2 Supported Cipher Suites

Cipher Suite
Key Length & Elliptic Curve Parameters

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA, usually secp256r1 (NIST P-256) for ECDSA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA, usually secp256r1 (NIST P-256) for ECDHE

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

256-bit ChaCha20, 256-bit Poly1305, usually secp256r1 or x25519

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

256-bit ChaCha20, 256-bit Poly1305, usually secp256r1 or x25519

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA, usually secp384r1 (NIST P-384) for ECDSA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA, usually secp384r1 (NIST P-384) for ECDHE

TLS 1.3 Supported Cipher Suites

Cipher Suite
Key Length & Elliptic Curve Parameters

TLS_AES_128_GCM_SHA256

128-bit AES, 256-bit SHA, typically x25519 or secp256r1

TLS_AES_256_GCM_SHA384

256-bit AES, 384-bit SHA, typically x25519, secp256r1, or secp384r1

TLS_CHACHA20_POLY1305_SHA256

256-bit ChaCha20, 256-bit Poly1305, typically x25519

PreviousCertificate RequirementsNextCA Certificates

Last updated

Was this helpful?