Cipher Suites for SSL Proxy

Supported Cipher Suites

SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence. SSL relies on digital certificates and private-public key exchange pairs for client and server authentication to ensure secure communication.

Lets get familiar with all the terms we are going to refer in this section.

• Digital Certificate or CA Certificate —A digital certificate is an electronic means for verifying your identity through a trusted third party, known as a certificate authority (CA). Alternatively, you can use a self-signed certificate to attest to your identity. Each certificate contains a cryptographic key to encrypt plaintext or decrypt cyphertext.

• Certificate Contents—A digital certificate associates a public key with the identity of an individual entity to whom it is issuing the digital certificate. A digital certificate includes the following identification attributes:

  • Identification and signature of the Certificate Authority that issued the certificate.

  • Validity period

  • Serial number

  • Certificate issuer details

  • Information about the subject includes identifying information (the distinguished name) and the public key.

• Cipher Suite—A cipher suite is a set of cryptographic algorithms. An SSL cipher comprises encryption ciphers, an authentication method, and compression. On SRX Series Firewall, SSL sessions use key exchange method by which cryptographic keys are exchanged between the client and the servers using cryptographic algorithm. The kind of key exchange algorithm and the cipher suites used must be supported by both sides.

  SSL sessions use the algorithms from a cipher suite to:

  • Securely establish a secret key between two communicating parties

  • Protect the confidentiality of data in transit

Table 1 provides the details of RSA keys supported on various SRX Series Firewalls.

• Starting with Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, server certificates of key size 4096 bits are supported. Prior to Junos OS Release 15.1X49-D30, server certificates with key size greater than 2048 bits were not supported because of cryptography hardware limitations.

• Starting in Junos OS Release 18.1R1, SSL proxy support is available on SRX300 and SRX320 devices. On SRX300 and SRX320 devices, server certificates with key size 4096 bits are not supported.

Table 2 displays a list of supported ciphers. NULL ciphers are excluded.

Starting in Junos OS Release 21.2R1, on SRX Series Firewalls, SSL proxy supports TLS version 1.3 and it provides improved security and better performance. Table 3 displays a list of TLS 1.3 supported ciphers.

Starting in Junos OS Release 18.4R1, support for some ciphers in custom ciphers are deprecated. Table 4 provides the list of the deprecated ciphers.

Note the following:

• Supported SSL ciphers for HTTPS firewall authentication are RSA-3DES-EDE-CBC-SHA , RSA-AES-128-CBC-SHA, and RSA-AES-256-CBC-SHA.

• Cipher suites that have “export” in the title are intended for use outside of the United States and might have encryption algorithms with limited key sizes. Export ciphers are not enabled by default. You need to either configure the export ciphers to enable or install a domestic package.

• ECDHE-based cipher suits support the perfect forward secrecy feature in SSL proxy.

  Perfect forward secrecy is a specific key agreement protocols which ensures that all transactions sent over the Internet are secure. Perfect forward secrecy generates a unique session key for every session initiated by user. This ensures that the compromise of a single session key has no impact on data other than that exchanged in the specific session protected by that particular key.

Configuring Cipher Suites for SSL Proxy

You can use following options in SSL proxy profile configuration to set cipher suites:

• Preferred Ciphers—Preferred ciphers allow you to define an SSL cipher with acceptable key strength: strong, medium, or weak.

  If you do not want to use one of the three categories, you can select ciphers from each of the categories to form a custom cipher set. Custom ciphers allow you to define your own cipher list. To configure custom ciphers, you must set preferred-ciphers to custom. Example:

• Custom Ciphers—Custom ciphers allow you to define your own cipher list. Example:

  Starting in Junos OS Release 21.2R1, you can also use the following custom ciphers:

Use the following steps to configure an SSL proxy with custom ciphers:

• Generate a root CA certificate or you can import your own trusted CA certificate and private and public keys into the device.

• Create an SSL proxy profile and associate root CA certificate (Root CA or the server certificate).

• Enable preferred-cipher in the SSL proxy as a custom-cipher and attach custom cipher

Example:

This example shows how to create a custom cipher. In this example, you set preferred-cipher to custom and add the cipher list (ecdhe-ecdsa-with-aes-256-cbc-sha384 and ecdhe-ecdsa-with-aes-128-cbc-sha256):

Or

Proceed with configuring the SSL proxy profile and applying the SSL proxy profile to a security policy

ECDSA Cipher Suite Support for SSL Proxy

Starting in Junos OS Release 18.3R1, SRX Series Firewalls support ECDSA cipher suites for SSL proxy. ECDSA is a version of the Digital Signature Algorithm (DSA) and is based on Elliptic-curve cryptography (ECC). To use ECDSA ciphers on your security device, you must ensure to:

• Include the certificates containing ECC-capable public keys on the device. Support is available for the Elliptic Curve Cryptography (ECC) certificate only with the Elliptic Prime Curve 256 bit (P-256).

• Include the ECDSA certificate option for the root CA. You can include one RSA certificate and one ECDSA certificate each. Having both ECC and RSA certificate allows you to perform ECC-based key exchange or RSA-based key exchange depending on the client and the server device’s compatibility.

• For reverse proxy, include the ECDSA certificate for the server certificate. No restriction on the number of ECDSA or RSA certificate inclusion.

• A trusted CA certificate can either be an RSA-based certificate and an ECDSA-based certificate. All features supported on an RSA-based certificate such as certificate cache, certificate revocation list (CRL), certificate chain are supported on an ECDSA certificate.

Configuring Server Certificates of Key Size 4096 Bits on SRX300 and SRX320

Starting in Junos OS Release 19.4R1, SRX300 and SRX320 devices support RSA certificates with key size 4096 bits. This support is available only when the SRX300 and SRX320 devices are operating in standalone mode.

You must explicitly configure the SSL proxy profile on SRX300 and SRX320 devices to use the server certificate with key size 4096 bits. Example:

SSL Forward Proxy Profile

SSL Reverse Proxy Profile