TLS Cipher Suites¶
This page contains information about the TLS Cipher Suites used by the PCoIP Connection Manager and PCoIP Security Gateway, and instructions for restricting the full list to subsets if desired.
PCoIP Connection Manager TLS Cipher Suites¶
The PCoIP Connection Manager supports the following cipher suites for the TLS connections from the PCoIP client, to the connection broker, and to the PCoIP Agent (in decreasing order of preference):
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
PCoIP Security Gateway Supported TLS Cipher Suites¶
The PCoIP Security Gateway supports the following cipher suites for TLS connections, in decreasing order of preference:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Blacklisting Cipher Suites¶
Both the PCoIP Connection Manager and PCoIP Security Gateway can be configured to accept subsets of the full cipher suite list. This is done by blacklisting unwanted suites via configuration settings and restarting the respective service.
Blacklisting Cipher Suites for PCoIP Client Connections¶
You can limit the cipher suites accepted for incoming PCoIP client connections by using the ClientSSLCipherBlackList
setting to blacklist unwanted suites. For more information, see PCoIP Connection Manager Configuration Settings.
Changing the ClientSSLCipherBlackList setting updates cipher suite list
Changing the ClientSSLCipherBlackList
and then restarting the PCoIP Connection Manager service causes the SSLCipherSuite
variable in /opt/Teradici/thirdparty/tomcat/conf/server.xml to be updated with the revised cipher suite list. Tomcat uses the ciphers specified in server.xml
for all its inbound connections.
Blacklisting Cipher Suites for Connection Broker and PCoIP Agent Connections¶
You can limit the cipher suites accepted for communications with a connection broker or PCoIP agent by using the ServerSSLCipherBlackList
setting to blacklist unwanted suites. For more information, see PCoIP Connection Manager Configuration Settings.
Blacklisting Cipher Suites for PCoIP Security Gateway Connections¶
You can configure the PCoIP Security Gateway to support a subset of the previous cipher suites. The SSLCipherBlackList
setting enables removing cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.