Ciphers

Ciphers are algorithms for performing encryption and decryption. They are used to help provide secure communications over computer networks. Load balancers that make use of the SSL Termination feature are configured to use only certain ciphers based on the assigned cipher profile.

Ciphers profiles are a named set of cipher suites to be used by a load balancer. The cipher profile can be assigned via the cipherProfile field when creating or updating SSL Termination configuration for the load balancer.

By default, load balancers are assigned the default cipher profile which is managed by Rackspace and updated from time to time to disable ciphers that have become insecure. For this reason, use of the default cipher profile is recommended.

Warning

The default profile is a general cipher suite that is designed to accommodate the largest number of possible clients. To accomplish this goal while still providing a base level of security, the default cipher suite will be updated from time to time to mitigate major vulnerabilities. Other cipher profile suites will be added to accomodate specific security requirements for environments that require stricter compliance.

You can view the list of ciphers enabled on a particular load balancer by using the List ciphers API.

Cipher profiles

The following table provides the available profiles and their associated ciphers. As security concerns change, new cipher profiles may be added.

Ciphers	default	CLBCipherPolicy2017-08	CLBCipherPolicy2019-05
TLS_AES_256_GCM_SHA384	x	x	x
TLS_AES_128_GCM_SHA256	x	x	x
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384	x	x	x
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256	x	x	x
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384	x	x
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA	x	x
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256	x	x
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA	x	x
SSL_RSA_WITH_AES_256_GCM_SHA384	x	x
SSL_RSA_WITH_AES_256_CBC_SHA256	x	x
SSL_RSA_WITH_AES_256_CBC_SHA	x	x
SSL_RSA_WITH_AES_128_GCM_SHA256	x	x
SSL_RSA_WITH_AES_128_CBC_SHA256	x	x
SSL_RSA_WITH_AES_128_CBC_SHA	x	x
SSL_RSA_WITH_3DES_EDE_CBC_SHA	x

Cipher Statuses

Name	Description
ERROR	The system encountered an error when attempting to retrieve the load balancer ciphers. Contact Support.

List ciphers

GET /v1.0/{account}/loadbalancers/{loadbalancerid}/ssltermination/ciphers

Lists ciphers enabled for SSL termination on the loadbalancer.

The following table shows the possible response codes for this operation:

Response code	Name	Description
200	Success	Request succeeded.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
413	Over Limit	The number of items returned is above the allowed limit.
422	ImmutableEntity	This fault is returned when a user attempts to modify an item that is not currently in a state that allows modification. For example, load balancers in a status of PENDING_UPDATE,BUILD, or DELETED may not be modified.
500	Load Balancer Fault	The load balancer has experienced a fault.
503	Service Unavailable	The service is not available.

Request

The following table shows the URI parameters for the request:

Name	Type	Description
{account}	String	The ID for the tenant or account in a multi- tenancy cloud.
{loadbalancerid}	String	The ID of the load balancer.

This operation does not accept a request body.

Response

The following table shows the body parameters for the response:

Name	Type	Description
ciphers	Object	A list of named ciphers associated to the load balancer.

Example List ciphers: JSON response

{
   "ciphers": [
     {
      "name": "SSL_RSA_WITH_3DES_EDE_CBC_SHA"
     },
     {
      "name": "SSL_RSA_WITH_AES_128_CBC_SHA"
     }
   ]
}

Example List ciphers: XML response

<?xml version="1.0" ?>
<ciphers>
    <cipher name="SSL_RSA_WITH_3DES_EDE_CBC_SHA" />
    <cipher name="SSL_RSA_WITH_AES_128_CBC_SHA" />
</ciphers>