Incapsula TLS/SSL Tech Specs

Created at:
Avatar
Updated

Incapsula supports the following features/settings for TLS/SSL:

 

Cipher Suites (server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

* Ciphers can be disabled upon request.

 

Features

  • ALPN         
  • Perfect/Forward Secrecy (PFS/FS via ECDHE ciphers)
  • Dynamic TLS Record Sizing
  • HSTS (HTTP Strict Transport Security)
  • Session identifiers
  • Session tickets
  • OCSP Stapling

Example SSL Labs report

 

Protocols

TLS 1.2

TLS 1.1 (Disabled by default) 

TLS 1.0 (Disabled by default)

As of May 27, 2018, Incapsula will set TLS 1.2 as the minimum supported version, by default, for connectivity between clients (visitors) and the Incapsula service.

PCI-DSS v3.2 compliance

PCI-DSS compliance requires disabling the use of TLS 1.0 as of July 1, 2018. To comply with this requirement, and due to the known vulnerabilities in TLS 1.1, Incapsula has defined TLS 1.2 as the default minimum supported version. This also applies to the Incapsula Management Console and the Incapsula API.

Connectivity between a website’s origin server and the Incapsula service is the responsibility of the Incapsula customer.

Opting out

A client with an unsupported TLS version will not be able to establish a connection to Incapsula. The client (a browser, for example) may show the following SSL error message: ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and will not be able to access the site.

Enterprise and Business accounts that need to keep supporting TLS v1.0 and TLS v1.1 can opt out and choose to enable support for all TLS versions, on a per site basis. Opting out means that clients will be able to establish connections to your site using TLS v1.0, v1.1, and v1.2. This is not recommended. To remain PCI compliant, do not enable this option.

For more information: Link

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk