Skip to main content

Restrict TLS protocols and cipher suites

As an ArcGIS Server administrator, you can specify the Transport Layer Security (TLS) protocols and encryption algorithms ArcGIS Server uses to secure communication. Your organization may be required to use specific TLS protocols and encryption algorithms, or the web server on which you deploy ArcGIS Server may only allow certain protocols and algorithms. Specifying that ArcGIS Server use the certified protocols and algorithms ensures that your site remains in compliance with your organization's security policies.

Following the POODLE vulnerability exposed in 2014, ArcGIS Server dropped support for Secure Sockets Layer (SSL) protocols at 10.3 and later, but you will still see SSL used in the software to refer to TLS protocols.

TLS protocols

By default, ArcGIS Server only uses the TLSv1.3 and TLSv1.2 protocols. You can also enable TLSv1 and TLSv1.1 protocols using the steps below.

Default encryption algorithms

ArcGIS Server is configured by default to use the following encryption algorithms in the order listed below:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_AES_256_GCM_SHA384 (TLSv1.3 only)

  • TLS_AES_128_GCM_SHA256 (TLSv1.3 only)

For security reasons, several encryption algorithms that were enabled by default in previous versions have been disabled. These can be reenabled if needed for older clients. See Cipher suites reference below for the full list of supported algorithms.

Use the ArcGIS Server Administrator Directory to specify the TLS protocols and encryption algorithms your site will use.

  1. Open the ArcGIS Server Administrator Directory and sign in as an administrator of your site.

    The URL is in the format https://gisserver.example.com:6443/arcgis/admin.

  2. Click Security > Config > Update.

  3. In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma, for example, TLSv1.2, TLSv1.1.

    Note:

    Ensure that the web server hosting your Web Adaptor can fully communicate over the protocols you are enabling.

  4. In the Cipher Suites text box, specify the cipher suites to be used in IANA format. Separate each algorithm with a comma, for example, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA.

  5. Click Update.

    An error is returned if an invalid protocol or cipher suite is specified.

Cipher suites reference

ArcGIS Server supports the following algorithms:

Cipher ID

Name (IANA format)

Name (OpenSSL format)

Key exchange

Authentication algorithm

Encryption algorithm

Bits

Hashing algorithm

0xC030

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDH

RSA

AES_256_GCM

256

SHA384

0xC028

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA384

ECDH

RSA

AES_256_CBC

256

SHA384

0xC014

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES256-SHA

ECDH

RSA

AES_256_CBC

256

SHA

0x009F

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384

DH

RSA

AES_256_GCM

256

SHA384

0x006B

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

DHE-RSA-AES256-SHA256

DH

RSA

AES_256_CBC

256

SHA256

0x0039

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

DH

RSA

AES_256_CBC

256

SHA

0x009D

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

RSA

RSA

AES_256_GCM

256

SHA384

0x003D

TLS_RSA_WITH_AES_256_CBC_SHA256

AES256-SHA256

RSA

RSA

AES_256_CBC

256

SHA256

0x0035

TLS_RSA_WITH_AES_256_CBC_SHA

AES256-SHA

RSA

RSA

AES_256_CBC

256

SHA

0xC02F

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDH

RSA

AES_128_GCM

128

SHA256

0xC027

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

ECDH

RSA

AES_128_CBC

128

SHA256

0xC013

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES128-SHA

ECDH

RSA

AES_128_CBC

128

SHA

0x009E

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

DHE-RSA-AES128-GCM-SHA256

DH

RSA

AES_128_GCM

128

SHA256

0x0067

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

DHE-RSA-AES128-SHA256

DH

RSA

AES_128_CBC

128

SHA256

0x0033

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

DHE-RSA-AES128-SHA

DH

RSA

AES_128_CBC

128

SHA

0x009C

TLS_RSA_WITH_AES_128_GCM_SHA256

AES128-GCM-SHA256

RSA

RSA

AES_128_GCM

128

SHA256

0x003C

TLS_RSA_WITH_AES_128_CBC_SHA256

AES128-SHA256

RSA

RSA

AES_128_CBC

128

SHA256

0x002F

TLS_RSA_WITH_AES_128_CBC_SHA

AES128-SHA

RSA

RSA

AES_128_CBC

128

SHA

0xC012

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

ECDHE-RSA-DES-CBC3-SHA

ECDH

RSA

3DES_EDE_CBC

168

SHA

0x0016

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

EDH-RSA-DES-CBC3-SHA

DH

RSA

3DES_EDE_CBC

168

SHA

0x000A

SSL_RSA_WITH_3DES_EDE_CBC_SHA

DES-CBC3-SHA

RSA

RSA

3DES_EDE_CBC

168

SHA

0xC02C

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-GCM-SHA384

ECDH

ECDSA

AES_256_GCM

256

SHA384

0xC024

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES256-SHA384

ECDH

ECDSA

AES_256_CBC

256

SHA384

0xC00A

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES256-SHA

ECDH

ECDSA

AES_256_CBC

256

SHA

0xC02B

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDH

ECDSA

AES_128_GCM

128

SHA256

0xC023

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA256

ECDH

ECDSA

AES_128_CBC

128

SHA256

0xC009

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE-ECDSA-AES128-SHA

ECDH

ECDSA

AES_128_CBC

128

SHA

0xC008

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

ECDHE-ECDSA-DES-CBC3-SHA

ECDH

ECDSA

3DES_EDE_CBC

168

SHA

0xCCA8

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

ECDHE-RSA-CHACHA20-POLY1305

ECDH

RSA

CHACHA20 POLY1305

256

SHA256

0xCCA9

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

ECDHE-ECDSA-CHACHA20-POLY1305

ECDH

ECDSA

CHACHA20 POLY1305

256

SHA256

0x1301

TLS_AES_128_GCM_SHA256 (TLSv1.3 only)

TLS_AES_128_GCM_SHA256

-

-

AES_128_GCM

128

SHA256

0x1302

TLS_AES_256_GCM_SHA384 (TLSv1.3 only)

TLS_AES_256_GCM_SHA384

-

-

AES_256_GCM

256

SHA384

0x1303

TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3 only)

TLS_CHACHA20_POLY1305_SHA256

-

-

CHACHA20 POLY1305

256

SHA256

Terminology

The following terms are used in the table above:

  • ECDH—Elliptic-Curve Diffie-Hellman

  • DH—Diffie-Hellman

  • RSA—Rivest, Shamir, Adleman

  • ECDSA— Elliptic Curve Digital Signature Algorithm

  • AES—Advanced Encryption Standard

  • GCM—Galois/Counter Mode, a mode of operation for cryptographic block ciphers

  • CBC—Cipher Block Chaining

  • 3DES—Triple Data Encryption Algorithm

  • SHA—Secure Hashing Algorithm

  • CHACHA20—ChaCha stream cipher

  • POLY1305—Poly1305 authenticator