First Published: May 14, 2018

Last Updated: July 12, 2021

About Web Security Appliance

The Cisco Web Security Appliance intercepts and monitors Internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other Internet-based threats.

Supported Ciphers

This section contains the list of supported ciphers (SSL and SSH) for AsyncOS for Web Security Appliance.

Port 8443 (Management Interface)

TLS 1.0

TLS 1.1

TLS 1.2

ECDHE-RSA-AES256-SHA - YES

ECDHE-RSA-AES256-SHA - YES

ECDHE-RSA-AES256-GCM-SHA384 - YES

DHE-RSA-AES256-SHA - YES

DHE-RSA-AES256-SHA - YES

ECDHE-RSA-AES256-SHA384 - YES

DHE-RSA-CAMELLIA256-SHA - YES

DHE-RSA-CAMELLIA256-SHA - YES

ECDHE-RSA-AES256-SHA - YES

AES256-SHA - YES

AES256-SHA - YES

DHE-RSA-AES256-GCM-SHA384 - YES

CAMELLIA256-SHA - YES

CAMELLIA256-SHA - YES

DHE-RSA-AES256-SHA256 - YES

ECDHE-RSA-DES-CBC3-SHA - YES

ECDHE-RSA-DES-CBC3-SHA - YES

DHE-RSA-AES256-SHA - YES

EDH-RSA-DES-CBC3-SHA - YES

EDH-RSA-DES-CBC3-SHA - YES

DHE-RSA-CAMELLIA256-SHA - YES

DES-CBC3-SHA - YES

DES-CBC3-SHA - YES

AES256-GCM-SHA384 - YES

ECDHE-RSA-AES128-SHA - YES

ECDHE-RSA-AES128-SHA - YES

AES256-SHA256 - YES

DHE-RSA-AES128-SHA - YES

DHE-RSA-AES128-SHA - YES

AES256-SHA - YES

DHE-RSA-SEED-SHA - YES

DHE-RSA-SEED-SHA - YES

CAMELLIA256-SHA - YES

DHE-RSA-CAMELLIA128-SHA - YES

DHE-RSA-CAMELLIA128-SHA - YES

ECDHE-RSA-DES-CBC3-SHA - YES

AES128-SHA - YES

AES128-SHA - YES

EDH-RSA-DES-CBC3-SHA - YES

SEED-SHA - YES

SEED-SHA - YES

DES-CBC3-SHA - YES

CAMELLIA128-SHA - YES

CAMELLIA128-SHA - YES

ECDHE-RSA-AES128-GCM-SHA256 - YES

ECDHE-RSA-AES128-SHA256 - YES

ECDHE-RSA-AES128-SHA - YES

DHE-RSA-AES128-GCM-SHA256 - YES

DHE-RSA-AES128-SHA256 - YES

DHE-RSA-AES128-SHA - YES

DHE-RSA-SEED-SHA - YES

DHE-RSA-CAMELLIA128-SHA - YES

AES128-GCM-SHA256 - YES

AES128-SHA256 - YES

AES128-SHA - YES

SEED-SHA - YES

CAMELLIA128-SHA - YES

Port 443 (SSL Port)

TLS 1.0

TLS 1.1

TLS 1.2

TLS 1.3

ECDHE-RSA-AES128-S HA - YES

ECDHE-RSA-AES128-S HA - YES

DHE-RSA-AES256-GC M-SHA384 - YES

TLS_AES_128_G CM_SHA256 - YES

ECDHE-ECDSA-AES12 8-SHA - YES

ECDHE-ECDSA-AES12 8-SHA - YES

DHE-RSA-AES128-GC M-SHA256 - YES

TLS_CHACHA20_ POLY1305_SHA2 56 - YES

DHE-RSA-AES256-SHA - YES

DHE-RSA-AES256-SHA - YES

DHE-RSA-AES256-SHA 256 - YES

TLS_AES_256_G CM_SHA384 - YES

DHE-RSA-AES128-SHA - YES

DHE-RSA-AES128-SHA - YES

DHE-RSA-AES256-SHA - YES

AES256-SHA - YES

AES256-SHA - YES

DHE-RSA-AES128-SHA - YES

AES128-SHA - YES

AES128-SHA - YES

DHE-RSA-AES128-SHA 256 - YES

AES256-GCM-SHA384 - YES

AES256-SHA256 - YES

AES256-SHA - YES

AES128-GCM-SHA256 - YES

AES128-SHA256 - YES

AES128-SHA - YES

ECDHE-ECDSA-AES25 6-GCM-SHA384 - YES

ECDHE-ECDSA-CHAC HA20-POLY1305 - YES

ECDHE-ECDSA-AES12 8-GCM-SHA256 - YES

ECDHE-ECDSA-AES25 6-SHA384 - YES

ECDHE-ECDSA-AES12 8-SHA256 - YES

ECDHE-ECDSA-AES12 8-CCM - YES

ECDHE-ECDSA-AES25 6-CCM - YES

ECDHE-RSA-AES256-G CM-SHA384 - YES

ECDHE-RSA-CHACHA 20-POLY1305 - YES

ECDHE-RSA-AES128-G CM-SHA256 - YES

ECDHE-RSA-AES256-S HA384 - YES

ECDHE-RSA-AES128-S HA256 - YES

ECDHE-RSA-AES128-S HA - YES

Default Mode:

DHE-RSA-AES128-SHA - YES

AES128-SHA - YES

Default Mode:

DHE-RSA-AES128-SHA - YES

AES128-SHA - YES

Default Mode:

AES256-GCM-SHA384 - YES

AES256-SHA256 - YES

DHE-RSA-AES128-SHA - YES

AES128-GCM-SHA256 - YES

AES128-SHA256 - YES

AES128-SHA - YES

Default Mode:

TLS_AES_256_G CM_SHA384 - YES
Note 

AsyncOS 12.0.1 and later versions support ECDHE related ciphers for TLS 1.0, TLS 1.1, and TLS 1.2.
Note 

AsyncOS 12.0.1 and later versions support TLS 1.3.

Port 22 (SSH Port)

ssh2-enum-algos:

1. kex_algorithms (7):

  • diffie-hellman-group-exchange\u0002sha256

  • diffie-hellman-group-exchange\u0002sha1

  • diffie-hellman-group14-sha1

  • diffie-hellman-group1-sha1

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

2. encryption_algorithms (8):

  • 3des-cbc

  • aes128-cbc

  • aes192-cbc

  • aes256-cbc

  • rijndael-cbc@lysator.liu.se

  • aes128-ctr

  • aes192-ctr

  • aes256-ctr

3. server_host_key_algorithms (4):

  • ssh-dss

  • ssh-rsa

  • rsa-sha2-512

  • rsa-sha2-256

4. mac_algorithms (4):

  • hmac-sha1

  • hmac-ripemd160

  • hmac-ripemd160@openssh.com

  • umac-64@openssh.com

5. compression_algorithms (2):

  • none

  • zlib@openssh.com

Unsupported Ciphers

This section contains the list of unsupported ciphers.

Port 8443 (Management Interface)

SSL V 3.0

TLS 1.0

RC4-MD5

RC4-MD5

RC4-SHA

RC4-SHA