TLS and SSH Cipher #54929

alexandreazedojscrambler · 2025-05-19T14:54:35Z

alexandreazedojscrambler
May 19, 2025

I needed to know which ciphers are used for TLS and for tsh ssh to servers via teleport cloud?
I found this issue, but it's been a while and I don't know if it's still up to date: #2108
Thanks

Answered by webvictim

May 23, 2025

The default ciphers used by Teleport are listed here:

teleport/lib/utils/tls.go

Lines 170 to 190 in 520cfe9

     // DefaultCipherSuites returns the default list of cipher suites that  
   // Teleport supports. By default Teleport only support modern ciphers  
   // (Chacha20 and AES GCM) and key exchanges which support perfect forward  
   // secrecy (ECDHE).  
   //  
   // Note that TLS_RSA_WITH_AES_128_GCM_SHA{256,384} have been dropped due to  
   // being banned by HTTP2 which breaks gRPC clients. For more information see:  
   // https://tools.ietf.org/html/rfc7540#appendix-A. These two can still be  
   // manually added if needed.  
   func DefaultCipherSuites() []uint16 {  
 

View full answer

webvictim · 2025-05-23T18:28:26Z

webvictim
May 23, 2025
Collaborator

The default ciphers used by Teleport are listed here:

teleport/lib/utils/tls.go

Lines 170 to 190 in 520cfe9

    
           // DefaultCipherSuites returns the default list of cipher suites that 
        
           // Teleport supports. By default Teleport only support modern ciphers 
        
           // (Chacha20 and AES GCM) and key exchanges which support perfect forward 
        
           // secrecy (ECDHE). 
        
           // 
        
           // Note that TLS_RSA_WITH_AES_128_GCM_SHA{256,384} have been dropped due to 
        
           // being banned by HTTP2 which breaks gRPC clients. For more information see: 
        
           // https://tools.ietf.org/html/rfc7540#appendix-A. These two can still be 
        
           // manually added if needed. 
        
           func DefaultCipherSuites() []uint16 { 
        
           	return []uint16{ 
        
           		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 
        
           		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 
        
           		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
        
           		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
        
           		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
        
           		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
        
           	} 
        
           }

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

TLS and SSH Cipher #54929

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

	// DefaultCipherSuites returns the default list of cipher suites that
	// Teleport supports. By default Teleport only support modern ciphers
	// (Chacha20 and AES GCM) and key exchanges which support perfect forward
	// secrecy (ECDHE).
	//
	// Note that TLS_RSA_WITH_AES_128_GCM_SHA{256,384} have been dropped due to
	// being banned by HTTP2 which breaks gRPC clients. For more information see:
	// https://tools.ietf.org/html/rfc7540#appendix-A. These two can still be
	// manually added if needed.
	func DefaultCipherSuites() []uint16 {

TLS and SSH Cipher #54929

Uh oh!

alexandreazedojscrambler May 19, 2025

Replies: 1 comment

Uh oh!

webvictim May 23, 2025 Collaborator

alexandreazedojscrambler
May 19, 2025

webvictim
May 23, 2025
Collaborator