KB-2091 Understanding TLS policies in Appian Cloud

Purpose

Appian Cloud allows customers to configure HTTPS access to sites using two different TLS policies - TLS 1.2 and TLS 1.2 with forward secrecy only. The recommended TLS policy for most sites is TLS 1.2, as it offers the security of TLS 1.2 with forward-secrecy, while maintaining compatibility with older systems that do not support forward-secrecy. This article outlines the differences between these two policies so that customers can determine the correct TLS policy for their needs.

TLS 1.2

The TLS 1.2 policy requires users to access the site using TLS 1.2. This policy supports the use of forward-secrecy cipher suites for clients that support it, but can fall back to TLS 1.2 cipher suites without forward-secrecy in order to support older HTTPS clients. This is the default cipher suite for sites in Appian Cloud.

TLS 1.2 with Forward Secrecy Only

This policy is similar to the TLS 1.2 policy, but it only allows clients to access sites using cipher suites that have forward-secrecy enabled. This policy can be enabled upon customer request by creating an Appian Support case.

Comparison

The following table shows a side-by-side comparison of the cipher suites supported by each of Appian Cloud's TLS policies.

OpenSSL Cipher Suite Name TLS 1.2 TLS 1.2 with Forward Secrecy Only
ECDHE-ECDSA-AES128-GCM-SHA256 Y Y
ECDHE-RSA-AES128-GCM-SHA256 Y Y
ECDHE-ECDSA-AES128-SHA256 Y Y
ECDHE-RSA-AES128-SHA256 Y Y
ECDHE-ECDSA-AES128-SHA Y
ECDHE-RSA-AES128-SHA Y
ECDHE-ECDSA-AES256-GCM-SHA384 Y Y
ECDHE-RSA-AES256-GCM-SHA384 Y Y
ECDHE-ECDSA-AES256-SHA384 Y Y
ECDHE-RSA-AES256-SHA384 Y Y
ECDHE-RSA-AES256-SHA Y
ECDHE-ECDSA-AES256-SHA Y
AES128-GCM-SHA256 Y
AES128-SHA256 Y
AES128-SHA Y
AES256-GCM-SHA384 Y
AES256-SHA256 Y
AES256-SHA Y

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: October 2020

Related
Recommended