0

I've got a certificate with following cipher EDCHE-RSA-AES256-GCM-SHA384 on a tomcat 6 (can only use TLS1, I know it's old). I've read somewhere that this cipher is for TLS1.2. Does that mean that you need TLS1.2 or that is also works with TLS1.2. Would it work with TLS1.0?

Thanks.

13dimitar
  • 2,508
  • 1
  • 13
  • 15
Em.
  • 11
  • 1
  • 7
  • I assume you mean **ECDHE**. `ECDHE-RSA-AES256-GCM-SHA384` is the definition of a TLS cypther suite, not of a certificate. That cypher suite _is_ only supported by TLS 1.2, but if that string has really anything to do with the certificate that is installed it ought to be a normal RSA certificate that you should be able to use with TLS 1.0. – gbr May 29 '17 at 13:48
  • Yep, ECDHE. Typo. The certificate is issued with that suite. Would it work with only TLS 1? – Em. May 29 '17 at 13:51
  • No it's not "issued with that suite". – gbr May 29 '17 at 14:13

1 Answers1

2

I've got a certificate with following cipher EDCHE-RSA-AES256-GCM-SHA384 ...

A certificate does not come with a cipher. It comes with a public key and the type of key restricts a bit which ciphers can be used (i.e. ECDSA vs. RSA authentication, RSA key exchange). The usable ciphers are instead depend on the TLS implementation and configuration in client and server.

All *-SHA384 ciphers are defined only with TLS 1.2. This means to use this the protocol version supported by both client and server must be TLS 1.2. Any client not offering TLS 1.2 or later in the TLS handshake will not offer this cipher and a server which does not support TLS 1.2 will not have implemented this cipher anyway.

Steffen Ullrich
  • 13,227
  • 27
  • 39