SSL/TLS Cipher Profiles for Akamai Secure CDN

Document created by Rajiv Aaron Manglani Employee on Jan 29, 2016Last modified by Rajiv Aaron Manglani Employee on Sep 14, 2017
Version 11Show Document
  • View in full screen mode

Web properties on Akamai's Secure CDN can be configured with various SSL/TLS cipher suites. Through our Certificate Provisioning System, customers can select a cipher profiles which, in turn, selects a list of cipher suites to be presented to connecting clients. Enumeration of the currently supported cipher profiles is below. Akamai does not update existing cipher profiles, except in the case of security incidents. Not all ciphers listed in the profiles below are active on the Akamai Secure CDN.

 

If a client presents the ChaCha20-Poly1305 cipher at the top of its preferred list, Akamai will move it to the top of the server-presented list, regardless of what is described below. This feature is to enable the best performance for those mobile devices which do not include AES acceleration hardware.

 

For PFS (Forward Secrecy) and HTTP/2 support, we recommend selecting the ak-akamai-default-2016q3 or ak-pci-dss-3.2 cipher profile.

 

If you have more specific needs around selecting individual cipher suites, please reach out to your account team or Customer Care.

 

 

Recommended Cipher Profiles

These profiles are available in Certificate Provisioning System and are recommended for use. Ciphers are listed below in the order they will be presented to clients.

 

ak-akamai-default-2017q3

TLS13-AES-256-GCM-SHA384

TLS13-CHACHA20-POLY1305-SHA256

TLS13-AES-128-GCM-SHA256

TLS13-AES-128-CCM-8-SHA256

TLS13-AES-128-CCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

AES256-SHA

AES128-SHA

 

ak-akamai-default-2016q3

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

AES256-SHA

AES128-SHA

 

ak-pci-dss-3.2

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

AES256-SHA

AES128-SHA

 

 

Available, but no longer recommended for use

These cipher profiles are available in Certificate Provisioning System, however they are no longer recommended for use. Properties configured with these profiles are encouraged to upgrade to one listed above as soon as possible to ensure they remain secure. Ciphers are listed below in the order they will be presented to clients.

 

ak-akamai-default

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

AES256-SHA

DES-CBC3-SHA

AES128-SHA

IDEA-CBC-SHA

RC4-SHA

RC4-MD5

DES-CBC-SHA

 

ak-akamai-default-2016q1

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA

 

ak-akamai-pfs-supported

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES128-SHA256

AES128-SHA

DES-CBC3-SHA

 

ak-akamai-pfs

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-ECDSA-AES256-SHA384

AES256-GCM-SHA384

AES256-SHA256

DES-CBC3-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA256

AES128-GCM-SHA256

AES128-SHA256

RC4-SHA

AES128-SHA

 

ak-akamai-recommended

AES256-SHA256

AES256-SHA

AES128-SHA256

AES128-SHA

DES-CBC3-SHA

RC4-SHA

 

ak-soft-errors

AES256-SHA

DES-CBC3-SHA

AES128-SHA

IDEA-CBC-SHA

RC4-SHA

RC4-MD5

DES-CBC-SHA

 

ak-soft-errors-with-export

AES256-SHA

DES-CBC3-SHA

AES128-SHA

IDEA-CBC-SHA

RC4-SHA

RC4-MD5

DES-CBC-SHA

EXP-DES-CBC-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

 

ak-akamai-tls-1.2

AES256-GCM-SHA384

AES128-GCM-SHA256

AES256-SHA256

AES256-SHA

AES128-SHA256

AES128-SHA

DES-CBC3-SHA

 

ak-pci-dss

AES256-SHA

AES128-SHA

DES-CBC3-SHA

 

ak-pci-dss-3.1

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA

Attachments

    Outcomes