Secure Internet and SaaS Access (ZIA)
Supported Cipher Suites in SSL Inspection
Zscaler supports hardware-based inspection with TLS versions 1.3, 1.2, 1.1 and 1.0 as well as PFS (Perfect Forward Secrecy) Cipher Suites across all TLS versions. The ZIA Public Service Edge prefers and proposes the highest TLS version and strongest Cipher Suites on the client side (client to Service Edge) and server side (Service Edge to server) connections, respectively.
Supported TLS 1.3 Cipher Suites
Zscaler supports hardware-based TLS 1.3 inspection with the following latest cipher suites:
TLS Protocol | Cipher Suite |
---|---|
TLS 1.3 | TLS_AES_256_GCM_SHA384 (0x1302) TLS_CHACHA20_POLY1305_SHA256 (0x1303) TLS_AES_128_GCM_SHA256 (0x1301) |
Supported ECDHE Cipher Suites
Zscaler supports the following ECDHE cipher suites for PFS) depending on the TLS protocol:
TLS Protocol | ECDHE Cipher Suite |
---|---|
TLS 1.0 TLS 1.1 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) |
TLS 1.2 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) |
Supported DHE Cipher Suites
Zscaler supports the following DHE cipher suites for PFS depending on the TLS protocol:
TLS Protocol | DHE Cipher Suite |
---|---|
TLS 1.0 TLS 1.1 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) |
TLS 1.2 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) |
Supported RSA Cipher Suites
Zscaler supports the following RSA cipher suites:
TLS Protocol | Cipher Suite |
---|---|
TLS 1.0 TLS 1.1 | TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) |
TLS 1.2 | TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) |
The ECDSA (Elliptic Curve Digital Signature Algorithm) authentication algorithm is supported only on the server-side (Service Edge to Server) SSL connections.
Unsupported Cipher Suites
Zscaler does not support the following cipher suites due to security or compatibility issues:
- EXP
- DSS
- RC4-MD5
- RC4-SHA
- DES-CBC-SHA
- DES-CBC3-SHA
- 3DES-CBC-SHA
Zscaler doesn't perform SSL inspection for websites that only use unsupported protocols. See an example of traffic destined to such a website.
The following sample is traffic destined to a website that only supports RC4-MD5-based ciphers.
Zscaler treats traffic destined to this website as undecryptable and does not perform SSL inspection. It allows or blocks the traffic depending on the SSL inspection policy you set for undecryptable traffic.
miku@safemarch:~$ openssl s_client -connect rc4-md5.badssl.com:443 -servername rc4-md5.badssl.com
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Walnut Creek, O = Lucas Garron, CN = *.badssl.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Walnut Creek/O=Lucas Garron/CN=*.badssl.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHGDCCBgCgAwIBAgIQAfICAx39qY79/w9yvlEGDTANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcwMzE4MDAwMDAwWhcN
MjAwMzI1MTIwMDAwWjBnMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRUwEwYDVQQKEwxMdWNhcyBHYXJyb24x
FTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2PmzAS2BMTOqy
tMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMWhyefdOsKnRFS
JiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3AxPxTuW1CrbV8
/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqveww9HdFxBIuGa
+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SYQCeFxxC7c3Dv
aRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaOCA9gwggPUMB8GA1UdIwQYMBaA
FA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBSd7sF7gQs6R2lxGH0RN5O8
pRs/+zAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8E
ZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc1
LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1n
NS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgMwfAYIKwYBBQUHAQEE
cDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYB
BQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJT
ZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAfUGCisGAQQB1nkCBAIE
ggHlBIIB4QHfAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFa
36pBXQAABAMARzBFAiEAzR4KqC0zoD8FzR8Jk0wH3CMLf/j0s/sMFySg5gsIP3oC
IHaSYDQXuInRJq1WHUHIwcdt7AscZAFWgEaCzh+8+QvCAHYAVhQGmi/XwuzT9eG9
RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFa36pCiAAABAMARzBFAiBPti1ehDk+YdyW
s4qjScmz9kuzTWor6jQYk8/GZDwRHwIhAPvbr23VquHaId4nvBHit7YGdJXpu7En
UZRQrU1P0lLVAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFa
36pEWQAABAMARjBEAiBUQkeTNpBWju4/OXnxjOOlowEXos1XsItqfLkajzv6cQIg
QLzLDhSKvxVRNq/4Z1rfbh8iEYM6Hj52NpO9+L0565oAdgC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAVrfqkIWAAAEAwBHMEUCIHhqWRiCNNf8h3i2
ADwso5l22FFp8H6jBBp+6B2PaBSUAiEAmk8vYlhgaLLc0Gkc+MkUIZ9sEoLR+tOF
BLatSTQk1EowDQYJKoZIhvcNAQELBQADggEBAGl6hl3sDaxY762cJc5fxNG9Kc/Q
Wvf5YzTLNxIuxEfTsj/Zgm+Q2hFl9enYRj4M1Weo/sw/8Jw9DGSuypOiYXCz9Ikx
0Fc2j/Oq939JU5+ok1AikAeXna4DFTtw8ByIchrU6tbZa/JocSM0WZl7WIrgOtvw
T+qCyI9JgYCnWRbPRfhZrlKxqQpwoP++aFV0HOBR9nj/Rzisq8ZGn7f6HKVxlqHS
lBdhbmcHA/nHgbpwU2bmonivndvnpQHI8Fxd4BzbcRYM+ZIkATWA5/aOvH/EEIb6
kwipaXsqHLfaJq1SY5G097HgWHWCkCUD/pxX6psTTavqftLenSd7piK3+fw=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Walnut Creek/O=Lucas Garron/CN=*.badssl.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3335 bytes and written 537 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-MD5
Session-ID: 725CB3755C8F55CF2FBFFB4CF4ECD0B7A6FD79EF79E3E692E028B6606421EAFC
Session-ID-ctx:
Master-Key: 1B993A8A3CF48711B4630CD526BE84219D740157E226AD2883536FF073AAA7AEBD691733A7701FCA72249F6AA867C645
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 8a a2 1a 77 48 87 f2 35-55 9c a0 3f 71 4d 37 a7 ...wH..5U..?qM7.
0010 - 2a a3 a8 d9 0a 8a 38 36-6c 4b f7 f1 ae 45 37 10 *.....86lK...E7.
0020 - 88 ca 3e 3b 32 3d 67 62-1d 9e af b6 88 61 81 a1 ..>;2=gb.....a..
0030 - b4 bb 02 08 f1 18 1c 22-ee ec ac 03 3e 3a 5a ca ......."....>:Z.
0040 - 2d 6d d2 c5 f0 3e 30 54-e3 f0 84 e9 34 d1 a9 5d -m...>0T....4..]
0050 - 1e 9f 56 0a be b7 b5 6a-3b 6f 83 64 d7 bf 51 59 ..V....j;o.d..QY
0060 - 71 02 be 6e f2 83 e9 04-9e 57 28 05 f4 1f 85 34 q..n.....W(....4
0070 - 49 da 33 98 ab 40 8d be-c5 94 e3 9b 7b 18 9f 07 I.3..@......{...
0080 - f5 f6 d7 01 2d 8f 01 57-a3 8e da 07 19 97 dc 81 ....-..W........
0090 - bb f3 b5 39 27 5e 8d 4e-e3 d7 51 2e d6 7f 69 c1 ...9'^.N..Q...i.
00a0 - f0 b4 b5 e3 d2 94 d2 02-b2 a3 cd 75 36 4b 29 92 ...........u6K).
00b0 - ad bc 1b 4d e3 ba f8 83-41 7a 18 ff e1 5e 82 de ...M....Az...^..
Start Time: 1551721147
Timeout : 7200 (sec)
Verify return code: 0 (ok)
CloseZscaler considers traffic from such websites undecryptable. You can configure the SSL Inspection policy to allow or block undecryptable traffic.