For security reasons, support for RSA cipher suites, which do not support PFS, will be disabled
For security reasons, support for RSA cipher suites (Rivest Shamir Adleman algorithm), which do not support PFS (Perfect Forward Secrecy), will be disabled in a production environment from June 01, 2023. Only ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) and DHE (Diffie-Hellman Ephemeral) encryption sets will remain supported, which support PFS when accessing portals and web services OKTE, a.s. when communicating using the TLS1.2 protocol.
When exchanging data using the TLS1.3 protocol, the current cipher suites are preserved. This change will be applied to the test environment during the service window on February 28, 2023 from 10 p.m. From those dates, the following encryption sets will be supported when communicating with the TLS1.2 or TLS1.3 encryption protocol:
| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch. | Encryption | Bits | Cipher Suite Name (IANA/RFC) |
| x1302 | TLS_AES_256_GCM_SHA384 | ECDH 253 | AESGCM | 256 | TLS_AES_256_GCM_SHA384 |
| x1303 | TLS_CHACHA20_POLY1305_SHA256 | ECDH 253 | ChaCha20 | 256 | TLS_CHACHA20_POLY1305_SHA256 |
| xc030 | ECDHE-RSA-AES256-GCM-SHA384 | ECDH 384 | AESGCM | 256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| xc028 | ECDHE-RSA-AES256-SHA384 | ECDH 384 | AES | 256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| xc014 | ECDHE-RSA-AES256-SHA | ECDH 384 | AES | 256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| x9f | DHE-RSA-AES256-GCM-SHA384 | DH 2048 | AESGCM | 256 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| xcca8 | ECDHE-RSA-CHACHA20-POLY1305 | ECDH 384 | ChaCha20 | 256 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
| xc0a3 | DHE-RSA-AES256-CCM8 | DH 2048 | AESCCM8 | 256 | TLS_DHE_RSA_WITH_AES_256_CCM_8 |
| xc09f | DHE-RSA-AES256-CCM | DH 2048 | AESCCM | 256 | TLS_DHE_RSA_WITH_AES_256_CCM |
| x6b | DHE-RSA-AES256-SHA256 | DH 2048 | AES | 256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| x39 | DHE-RSA-AES256-SHA | DH 2048 | AES | 256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| x1301 | TLS_AES_128_GCM_SHA256 | ECDH 253 | AESGCM | 128 | TLS_AES_128_GCM_SHA256 |
| xc02f | ECDHE-RSA-AES128-GCM-SHA256 | ECDH 384 | AESGCM | 128 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| xc027 | ECDHE-RSA-AES128-SHA256 | ECDH 384 | AES | 128 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| xc013 | ECDHE-RSA-AES128-SHA | ECDH 384 | AES | 128 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| x9e | DHE-RSA-AES128-GCM-SHA256 | DH 2048 | AESGCM | 128 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| xc0a2 | DHE-RSA-AES128-CCM8 | DH 2048 | AESGCM | 128 | TLS_DHE_RSA_WITH_AES_128_CCM_8 |
| xc09e | DHE-RSA-AES128-CCM | DH 2048 | AESGCM | 128 | TLS_DHE_RSA_WITH_AES_128_CCMTLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| x67 | DHE-RSA-AES128-SHA256 | DH 2048 | AES | 128 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| x33 | DHE-RSA-AES128-SHA | DH 2048 | AES | 128 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA |