Cryptography Provider Overview
An overview of the features that are provided by the two versions of the Cryptography Provider that are included with WebSEAL.
The cryptography provider is the library that provides cryptographic functions for the reverse proxy. It is sometimes referred to as GSKit within the documentation.
WebSEAL supports two major versions of its cryptography provider, version 8 and version 9. Each version supports different protocols, algorithms, and FIPS mode processing standards. Version 9 introduces support for Post-Quantum Cryptography (PQC) algorithms and removes support for deprecated protocols and algorithms. Version 8 remains available to support applications that require those deprecated protocols or algorithms.
WebSEAL automatically selects the appropriate cryptography provider based on the configuration. By default, WebSEAL uses version 9. However, it falls back to version 8 when configured with protocols or algorithms that are no longer supported in version 9. This selection is made independently for each cryptographic location. For example, the reverse proxy can use version 8 to connect to a single junctioned application that requires deprecated protocols, while using version 9 for listen sockets and other junctioned applications.
TLS Protocol Support
Version 9 of the cryptography provider no longer supports TLS protocol versions that have been deprecated by the Internet Engineering Task Force (IETF).
| TLS Protocol | Deprecated by IETF? | Supported by Cryptography Provider Version 8? | Supported by Cryptography Provider Version 9? |
|---|---|---|---|
| TLS 1.3 | No | Yes | Yes |
| TLS 1.2 | No | Yes | Yes |
| TLS 1.1 | Yes, RFC 8996 | Yes | No |
| TLS 1.0 | Yes, RFC 8996 | Yes | No |
| SSLv3 | Yes, RFC 7568 | Yes | No |
| SSLv2 | Yes, RFC 6176 | Yes | No |
| TLS Protocol | Configuration Entry | Default Value |
|---|---|---|
| TLS 1.3 | disable-tls-v13 |
no |
| TLS 1.2 | disable-tls-v12 |
no |
| TLS 1.1 | disable-tls-v11 |
yes |
| TLS 1.0 | disable-tls-v1 |
yes |
| SSLv3 | disable-ssl-v3 |
yes |
| SSLv2 | disable-ssl-v2 |
yes |
TLS 1.2 Encryption Algorithm Support
| Algorithm | Deprecated by IETF or NIST? | Supported by Cryptography Provider version 8? | Supported by Cryptography Provider version 9? |
|---|---|---|---|
| RC4 | Yes, RFC 7645 | Yes | No |
| 3DES | Yes, NIST SP800-67 R2 withdrawn | Yes | No |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHATLS_ECDHE_RSA_WITH_RC4_128_SHATLS_RSA_WITH_RC4_128_SHATLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHA
These cipher specifications are not enabled by default.
ALL does not cause version 8 of
the cryptography provider to be used. ALL includes these cipher specifications if
version 8 of the cryptography provider is used due to other configuration, but not if version 9 of
the cryptography provider is used.TLS 1.3 Key Agreement Support
ECDHE_X25519MLKEM768ECDHE_SecP256r1MLKEM768ECHDE_SecP384r1MLKEM1024MLKEM768MLKEM1024
ssl-key-agreement and
ssl-extension-supported-groups configuration entries in the [ssl] stanza, [junction] stanza, or [junction:<jct-id>] stanza.FIPS Mode Processing
When the reverse proxy is configured to run with FIPS mode processing, the FIPS security requirements applied differ based on the version of the cryptography provider that is used.
Version 9 of the cryptography provider is compliant with the FIPS 140-3 requirements. For more information about FIPS 140-3, see https://csrc.nist.gov/pubs/fips/140-3/final.
Version 8 of the cryptography provider is compliant with the FIPS 140-2 requirements. For more information about FIPS 140-2, see https://csrc.nist.gov/pubs/fips/140-2/upd2/final.
FIPS mode processing can be configured through the fips-mode-processing
configuration entry in the [ssl] stanza and the
fips-mode-processings configuration entries in the [junction] stanza, or [junction:<jct-id>] stanza.