Restrict TLS protocols and cipher suites—ArcGIS Server | Documentation for ArcGIS Enterprise

As an ArcGIS Server administrator, you can specify the Transport Layer Security (TLS) protocols and encryption algorithms ArcGIS Server uses to secure communication. Your organization may be required to use specific TLS protocols and encryption algorithms, or the web server on which you deploy ArcGIS Server may only allow certain protocols and algorithms. Specifying that ArcGIS Server use the certified protocols and algorithms ensures that your site remains in compliance with your organization's security policies.

Following the POODLE vulnerability exposed in 2014, ArcGIS Server dropped support for Secure Sockets Layer (SSL) protocols at 10.3 and later, but you will still see SSL used in the software to refer to TLS protocols.

TLS protocols

By default, ArcGIS Server only uses the TLSv1.3 and TLSv1.2 protocols. You can also enable TLSv1 and TLSv1.1 protocols using the steps below.

Default encryption algorithms

ArcGIS Server is configured by default to use the following encryption algorithms in the order listed below:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_AES_256_GCM_SHA384 (TLSv1.3 only)
TLS_AES_128_GCM_SHA256 (TLSv1.3 only)

For security reasons, several encryption algorithms that were enabled by default in previous versions have been disabled. These can be reenabled if needed for older clients. See Cipher suites reference below for the full list of supported algorithms.

Use the ArcGIS Server Administrator Directory to specify the TLS protocols and encryption algorithms your site will use.

Open the ArcGIS Server Administrator Directory and sign in as an administrator of your site.
The URL is in the format https://gisserver.domain.com:6443/arcgis/admin.
Click Security > Config > Update.
In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma, for example, TLSv1.2, TLSv1.1.
Note:
Ensure that the web server hosting your Web Adaptor can fully communicate over the protocols you are enabling. If you're using a Java Web Adaptor, the web server hosting the Web Adaptor must use Java 8 or later.
In the Cipher Suites text box, specify the encryption algorithms to be used. If specifying multiple algorithms, separate each algorithm with a comma, for example, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA.
Click Update.
An error is returned if an invalid protocol or cipher suite is specified.

Cipher suites reference

ArcGIS Server supports the following algorithms:


Cipher ID	Name	Key exchange	Authentication algorithm	Encryption algorithm	Bits	Hashing algorithm
0x00C030	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	ECDH	RSA	AES_256_GCM	256	SHA384
0x00C028	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	ECDH	RSA	AES_256_CBC	256	SHA384
0x00C014	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	ECDH	RSA	AES_256_CBC	256	SHA
0x00009F	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	DH	RSA	AES_256_GCM	256	SHA384
0x00006B	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256	DH	RSA	AES_256_CBC	256	SHA256
0x000039	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	DH	RSA	AES_256_CBC	256	SHA
0x00009D	TLS_RSA_WITH_AES_256_GCM_SHA384	RSA	RSA	AES_256_GCM	256	SHA384
0x00003D	TLS_RSA_WITH_AES_256_CBC_SHA256	RSA	RSA	AES_256_CBC	256	SHA256
0x000035	TLS_RSA_WITH_AES_256_CBC_SHA	RSA	RSA	AES_256_CBC	256	SHA
0x00C02F	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	ECDH	RSA	AES_128_GCM	128	SHA256
0x00C027	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	ECDH	RSA	AES_128_CBC	128	SHA256
0x00C013	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	ECDH	RSA	AES_128_CBC	128	SHA
0x00009E	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	DH	RSA	AES_128_GCM	128	SHA256
0x000067	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	DH	RSA	AES_128_CBC	128	SHA256
0x000033	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	DH	RSA	AES_128_CBC	128	SHA
0x00009C	TLS_RSA_WITH_AES_128_GCM_SHA256	RSA	RSA	AES_128_GCM	128	SHA256
0x00003C	TLS_RSA_WITH_AES_128_CBC_SHA256	RSA	RSA	AES_128_CBC	128	SHA256
0x00002F	TLS_RSA_WITH_AES_128_CBC_SHA	RSA	RSA	AES_128_CBC	128	SHA
0x00C012	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA	ECDH	RSA	3DES_EDE_CBC	168	SHA
0x000016	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	DH	RSA	3DES_EDE_CBC	168	SHA
0x00000A	SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	RSA	3DES_EDE_CBC	168	SHA
0x00C02C	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ECDH	ECDSA	AES_256_GCM	256	SHA384
0x00C024	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	ECDH	ECDSA	AES_256_CBC	256	SHA384
0x00C00A	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	ECDH	ECDSA	AES_256_CBC	256	SHA
0x00C02B	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ECDH	ECDSA	AES_128_GCM	128	SHA256
0x00C023	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	ECDH	ECDSA	AES_128_CBC	128	SHA256
0x00C009	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	ECDH	ECDSA	AES_128_CBC	128	SHA
0x00C008	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA	ECDH	ECDSA	3DES_EDE_CBC	168	SHA
0x1302	TLS_AES_256_GCM_SHA384	-	-	AES_256_GCM	256	SHA384
0x1301	TLS_AES_128_GCM_SHA256	-	-	AES_128_GCM	128	SHA256

Terminology

The following terms are used in the table above:

ECDH—Elliptic-Curve Diffie-Hellman
DH—Diffie-Hellman
RSA—Rivest, Shamir, Adleman
ECDSA— Elliptic Curve Digital Signature Algorithm
AES—Advanced Encryption Standard
GCM—Galois/Counter Mode, a mode of operation for cryptographic block ciphers
CBC—Cipher Block Chaining
3DES—Triple Data Encryption Algorithm
SHA—Secure Hashing Algorithm

Feedback on this topic?

TLS protocols

Default encryption algorithms

Note:

Cipher suites reference

Terminology

In this topic