For devices running 8.2 and later
Starting in PCS 8.2 and later, granular cipher suites feature was introduced allowing the administrator to select the specific cipher suites and adjust the cipher suite order. As part of this feature, the Perfect Forward Secrecy option was added to provide an simple configuration to support only PFS cipher suites.
For devices running between 7.4 to 8.1
ECDHE ciphers are available in the supported cipher list. The client presents a list of supported ciphers in the SSL/TLS handshake and PCS will pick the cipher from this list that is highest up the ordered list.
ECDHE Ciphers supported by PCS are:
With Elliptic-Curve Cryptography (ECC) certificates:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
With RSA Certificates:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
See Chapter 45, FIPS Level 1 Support (Software FIPS), in the PCS 7.4 or later Admin Guide for more information on the ciphers and the their ordering on the SA.
Note: ECC certificates are currently only supported on MAG and Virtual Appliance platforms, they are not usable on SAx500 devices. See Chapter 32, Elliptic Curve Cryptography, in the 7.4 or later Admin Guide for more details on these certificates and setting custom cipher options.
