icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Supported Cipher Suites in SSL Inspection

Zscaler supports hardware-based inspection with TLS versions 1.3, 1.2, 1.1 and 1.0 as well as PFS (Perfect Forward Secrecy) Cipher Suites across all TLS versions. The ZIA Public Service Edge prefers and proposes the highest TLS version and strongest Cipher Suites on the client side (client to Service Edge) and server side (Service Edge to server) connections, respectively.

Supported TLS 1.3 Cipher Suites

Zscaler supports hardware-based TLS 1.3 inspection with the following latest cipher suites:

TLS ProtocolCipher Suite
TLS 1.3TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_128_GCM_SHA256 (0x1301)

Supported ECDHE Cipher Suites

Zscaler supports the following ECDHE cipher suites for PFS) depending on the TLS protocol:

TLS ProtocolECDHE Cipher Suite
TLS 1.0
TLS 1.1		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS 1.2TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

Supported DHE Cipher Suites

Zscaler supports the following DHE cipher suites for PFS depending on the TLS protocol:

TLS ProtocolDHE Cipher Suite
TLS 1.0
TLS 1.1		TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
TLS 1.2TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

Supported RSA Cipher Suites

Zscaler supports the following RSA cipher suites:

TLS ProtocolCipher Suite
TLS 1.0
TLS 1.1		TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS 1.2TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

The ECDSA (Elliptic Curve Digital Signature Algorithm) authentication algorithm is supported only on the server-side (Service Edge to Server) SSL connections.

Unsupported Cipher Suites

Zscaler does not support the following cipher suites due to security or compatibility issues:

  • EXP
  • DSS
  • RC4-MD5
  • RC4-SHA
  • DES-CBC-SHA
  • DES-CBC3-SHA
  • 3DES-CBC-SHA

Zscaler doesn't perform SSL inspection for websites that only use unsupported protocols.

The following sample is traffic destined to a website that only supports RC4-MD5-based ciphers.

Zscaler treats traffic destined to this website as undecryptable and does not perform SSL inspection. It allows or blocks the traffic depending on the SSL inspection policy you set for undecryptable traffic.

miku@safemarch:~$ openssl s_client -connect rc4-md5.badssl.com:443 -servername rc4-md5.badssl.com
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Walnut Creek, O = Lucas Garron, CN = *.badssl.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Walnut Creek/O=Lucas Garron/CN=*.badssl.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHGDCCBgCgAwIBAgIQAfICAx39qY79/w9yvlEGDTANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcwMzE4MDAwMDAwWhcN
MjAwMzI1MTIwMDAwWjBnMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRUwEwYDVQQKEwxMdWNhcyBHYXJyb24x
FTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2PmzAS2BMTOqy
tMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMWhyefdOsKnRFS
JiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3AxPxTuW1CrbV8
/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqveww9HdFxBIuGa
+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SYQCeFxxC7c3Dv
aRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaOCA9gwggPUMB8GA1UdIwQYMBaA
FA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBSd7sF7gQs6R2lxGH0RN5O8
pRs/+zAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8E
ZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc1
LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1n
NS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgMwfAYIKwYBBQUHAQEE
cDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYB
BQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJT
ZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAfUGCisGAQQB1nkCBAIE
ggHlBIIB4QHfAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFa
36pBXQAABAMARzBFAiEAzR4KqC0zoD8FzR8Jk0wH3CMLf/j0s/sMFySg5gsIP3oC
IHaSYDQXuInRJq1WHUHIwcdt7AscZAFWgEaCzh+8+QvCAHYAVhQGmi/XwuzT9eG9
RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFa36pCiAAABAMARzBFAiBPti1ehDk+YdyW
s4qjScmz9kuzTWor6jQYk8/GZDwRHwIhAPvbr23VquHaId4nvBHit7YGdJXpu7En
UZRQrU1P0lLVAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFa
36pEWQAABAMARjBEAiBUQkeTNpBWju4/OXnxjOOlowEXos1XsItqfLkajzv6cQIg
QLzLDhSKvxVRNq/4Z1rfbh8iEYM6Hj52NpO9+L0565oAdgC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAVrfqkIWAAAEAwBHMEUCIHhqWRiCNNf8h3i2
ADwso5l22FFp8H6jBBp+6B2PaBSUAiEAmk8vYlhgaLLc0Gkc+MkUIZ9sEoLR+tOF
BLatSTQk1EowDQYJKoZIhvcNAQELBQADggEBAGl6hl3sDaxY762cJc5fxNG9Kc/Q
Wvf5YzTLNxIuxEfTsj/Zgm+Q2hFl9enYRj4M1Weo/sw/8Jw9DGSuypOiYXCz9Ikx
0Fc2j/Oq939JU5+ok1AikAeXna4DFTtw8ByIchrU6tbZa/JocSM0WZl7WIrgOtvw
T+qCyI9JgYCnWRbPRfhZrlKxqQpwoP++aFV0HOBR9nj/Rzisq8ZGn7f6HKVxlqHS
lBdhbmcHA/nHgbpwU2bmonivndvnpQHI8Fxd4BzbcRYM+ZIkATWA5/aOvH/EEIb6
kwipaXsqHLfaJq1SY5G097HgWHWCkCUD/pxX6psTTavqftLenSd7piK3+fw=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Walnut Creek/O=Lucas Garron/CN=*.badssl.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3335 bytes and written 537 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-MD5
    Session-ID: 725CB3755C8F55CF2FBFFB4CF4ECD0B7A6FD79EF79E3E692E028B6606421EAFC
    Session-ID-ctx: 
    Master-Key: 1B993A8A3CF48711B4630CD526BE84219D740157E226AD2883536FF073AAA7AEBD691733A7701FCA72249F6AA867C645
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8a a2 1a 77 48 87 f2 35-55 9c a0 3f 71 4d 37 a7   ...wH..5U..?qM7.
    0010 - 2a a3 a8 d9 0a 8a 38 36-6c 4b f7 f1 ae 45 37 10   *.....86lK...E7.
    0020 - 88 ca 3e 3b 32 3d 67 62-1d 9e af b6 88 61 81 a1   ..>;2=gb.....a..
    0030 - b4 bb 02 08 f1 18 1c 22-ee ec ac 03 3e 3a 5a ca   ......."....>:Z.
    0040 - 2d 6d d2 c5 f0 3e 30 54-e3 f0 84 e9 34 d1 a9 5d   -m...>0T....4..]
    0050 - 1e 9f 56 0a be b7 b5 6a-3b 6f 83 64 d7 bf 51 59   ..V....j;o.d..QY
    0060 - 71 02 be 6e f2 83 e9 04-9e 57 28 05 f4 1f 85 34   q..n.....W(....4
    0070 - 49 da 33 98 ab 40 8d be-c5 94 e3 9b 7b 18 9f 07   I.3..@......{...
    0080 - f5 f6 d7 01 2d 8f 01 57-a3 8e da 07 19 97 dc 81   ....-..W........
    0090 - bb f3 b5 39 27 5e 8d 4e-e3 d7 51 2e d6 7f 69 c1   ...9'^.N..Q...i.
    00a0 - f0 b4 b5 e3 d2 94 d2 02-b2 a3 cd 75 36 4b 29 92   ...........u6K).
    00b0 - ad bc 1b 4d e3 ba f8 83-41 7a 18 ff e1 5e 82 de   ...M....Az...^..

    Start Time: 1551721147
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
Close

Zscaler considers traffic from such websites undecryptable. You can configure the SSL Inspection policy to allow or block undecryptable traffic.

Related Articles
About Secure Sockets Layer (SSL)About SSL InspectionSupported Cipher Suites in SSL InspectionSafeguarding SSL Keys and Data Collected during SSL InspectionAdding Custom Certificate to an Application-Specific Trust StoreAbout SSL Inspection PolicyConfiguring SSL Inspection PolicyAbout Intermediate CA CertificatesChoosing the CA Certificate for SSL InspectionSigning a CSR Using the Active Directory Certificate ServicesDeploying SSL InspectionConfiguring Software Protection Intermediate CA CertificateConfiguring Cloud HSM Protection Intermediate CA CertificateDeployment Scenarios for SSL InspectionCertificate Pinning and SSL InspectionBest Practices for Testing and Rolling Out SSL Inspection