SSL/TLS Protocols and Ciphers for origin connections

Document created by Rajiv Aaron Manglani Employee on May 17, 2016Last modified by Rajiv Aaron Manglani Employee on May 3, 2017
Version 2Show Document
  • View in full screen mode

Akamai has features on both our Secure and Non-Secure CDN networks, which give you control over the TLS protocol versions that we use when connecting to your origin servers.

 

Customers can select the TLS versions that Akamai will use when connecting to origin servers. Selecting the TLS versions for origin connections is self-serviceable in Property Manager in the “Origin Server Behavior” section. You may select a specific TLS version to instruct Akamai to use only that version, or list specific versions to use. Use of SNI connections to origin servers is also configurable.

 

To configure the specific ciphers that Akamai will use when going forward to origin you have two options:

 

Option 1 (recommended)

Configure your origin server to present only certain ciphers. Akamai will respect the ciphers presented by servers. The ultimate choice of which cipher is used in connections is determined by the origin server, which you control. Akamai deliberately offers a large list of ciphers to support customers with specific needs. We recommend that, if at all possible, you configure your origin server to prefer TLS 1.2 and the ECDHE AES GCM ciphers.

 

Option 2

Contact your account representative about professional services assistance in setting up a defined list of ciphers which can connect to your origin. You can select a cipher profile from SSL/TLS Cipher Profiles for Akamai Secure CDN, or you can choose individual ciphers.

 

Unless configured with a custom cipher list, Akamai Edge Servers will use these ciphers (in the order listed) when going forward to origin:

 

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-RSA-RC4-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
RC4-SHA
RC4-MD5
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-ECDSA-RC4-SHA

 

If you have any question or need support with your origin TLS connections, please reach out to your account team or Akamai Technical Support.

Attachments

    Outcomes