tlsv13_ciphersuites

tlsv13_ciphersuites — specify allowable TLSv1.3 ciphersuites for TLS inbound and outbound sessions

TLSv13_Ciphersuites = "<ciphersuite>[:<another ciphersuite>]"

**Configuration Change. ** This option is available as of version 4.6, for SMTP reception, HTTP reception, and SMTP deliveries only.

This option specifies the allowable ciphersuites for a TLS session using TLSv1.3 protocol. The allowable ciphersuites must be a subset of the available TLSv1.3 ciphersuites on the host system.

OpenSSL

When TLS_Engine is set to openssl, TLSv13_Ciphersuites specifies a "ciphersuite list", which is a colon (":") separated list of the supported TLSv1.3 ciphersuite names in order of preference. There are 5 valid TLSv1.3 ciphersuites that are supported by OpenSSL 1.1.1:

By default (if not explicitly specified through this configuration option), only the first three are enabled. On the host machine, openssl11 ciphers -s -tls1_3 can show the default TLSv1.3 ciphersuites; openssl11 ciphers -tls1_3 -v -s -ciphersuites TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256 can check whether the last two ciphersuites are supported if enabled. For more information about the TLSv1.3 ciphersuites, see https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites.

• To set the option to all the 5 TLSv1.3 ciphersuites supported by OpenSSL 1.1.1:

The default value (when this option is left unset) is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256".

GNUTLS

This option has no meaning for GNUTLS.

This option is new in Momentum 4.6.

tlsv13_ciphersuites is valid in the binding, binding_group, domain, esmtp_listener, global, http_listener, listen, pathway, pathway_group and peer scopes.