Skip to content

TLS Cipher Suites

This page contains information about the TLS Cipher Suites used by the PCoIP Connection Manager and PCoIP Security Gateway, and instructions for restricting the full list to subsets if desired.

PCoIP Connection Manager TLS Cipher Suites

The PCoIP Connection Manager supports the following cipher suites for the TLS connections from the PCoIP client, to the connection broker, and to the PCoIP Agent (in decreasing order of preference):

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

PCoIP Security Gateway Supported TLS Cipher Suites

The PCoIP Security Gateway supports the following cipher suites for TLS connections, in decreasing order of preference:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Blacklisting Cipher Suites

Both the PCoIP Connection Manager and PCoIP Security Gateway can be configured to accept subsets of the full cipher suite list. This is done by blacklisting unwanted suites via configuration settings and restarting the respective service.

Blacklisting Cipher Suites for PCoIP Client Connections

You can limit the cipher suites accepted for incoming PCoIP client connections by using the ClientSSLCipherBlackList setting to blacklist unwanted suites. For more information, see PCoIP Connection Manager Configuration Settings.

Changing the ClientSSLCipherBlackList setting updates cipher suite list

Changing the ClientSSLCipherBlackList and then restarting the PCoIP Connection Manager service causes the SSLCipherSuite variable in /opt/Teradici/thirdparty/tomcat/conf/server.xml to be updated with the revised cipher suite list. Tomcat uses the ciphers specified in server.xml for all its inbound connections.

Blacklisting Cipher Suites for Connection Broker and PCoIP Agent Connections

You can limit the cipher suites accepted for communications with a connection broker or PCoIP agent by using the ServerSSLCipherBlackList setting to blacklist unwanted suites. For more information, see PCoIP Connection Manager Configuration Settings.

Blacklisting Cipher Suites for PCoIP Security Gateway Connections

You can configure the PCoIP Security Gateway to support a subset of the previous cipher suites. The SSLCipherBlackList setting enables removing cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.