The Network Connector initiates an IP over TLS connection, to specific service IP addresses on port 443 with the following spec:
-
- Authentication: RSA 2048/SHA256 certificates
- Cipher suites supported:
- Initial enrollment and registration – Always TLS1.2 cipher suites
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- Data connectivity (tunnel)
- TLS 1.2
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS 1.3
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS 1.2
- Initial enrollment and registration – Always TLS1.2 cipher suites
Notes:
-
- The service will choose the cipher suites based on what the Network Connector offers, which depends on the OS version. If there are multiple options the preferred one will be the one with highest priority for the Network Connector
- For example, if a server is using Windows Server 2016 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as the preferred cipher suite this is the one that would be utilized from the lists above. For other scenarios, the suite could be different depending on OS capabilities. See the Network Connector requirements for minimum OS versions.
- The procedure to enable or disable specific cipher suites depends on the specific OS. For Windows OS you can check more details here