This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Appian Cloud uses Transport Layer Security (TLS) to secure inbound web traffic.
This article outlines the different supported policies and options for enabling them.
Appian Cloud supports four different policies across all areas of the platform:
TLS 1.2 permissive | TLS 1.2 strict | TLS 1.3/1.2 permissive | TLS 1.3/1.2 strict | |
---|---|---|---|---|
Environment dynamic content (commercial regions) | ✓ (default) | ✓ | ||
Environment dynamic content (GovCloud regions) | ✓ (default) | ✓ | ||
Static content delivery (commercial regions) | < Appian 22.4 | Appian 22.4+ | ||
Static content delivery (GovCloud regions) | < Appian 23.4 | Appian 23.4+ | ||
Portals | ✓ |
The permissive TLS 1.2 policy requires clients to access the environment using TLS 1.2. This policy supports the use of forward secrecy cipher suites for clients that support it, but can fall back to cipher suites without forward secrecy to support legacy clients.
This policy is similar to the permissive TLS 1.2 policy, but it only allows clients to access environments using cipher suites that support forward secrecy. Additionally, this policy disables cipher suites that include the CBC block cipher.
If supported, this policy can be enabled upon customer request by creating an Appian Support case.
This policy supports TLS 1.3 with fallback to TLS 1.2. It includes support for the same cipher suites as the TLS 1.2 permissive policy.
This policy supports TLS 1.3 with fallback to TLS 1.2. It includes support for the the same cipher suites as the TLS 1.2 strict policy.
If supported, this policy can be enabled upon customer request by creating an Appian Support case.
The following table shows a side-by-side comparison of the cipher suites supported by each of Appian Cloud's TLS policies.
OpenSSL cipher suite | TLS 1.2 permissive | TLS 1.2 strict | TLS 1.3/1.2 permissive | TLS 1.3/1.2 strict |
---|---|---|---|---|
TLS_AES_128_GCM_SHA256 | ✓ | ✓ | ||
TLS_AES_256_GCM_SHA384 | ✓ | ✓ | ||
ECDHE-ECDSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA256 | ✓ | ✓ | ||
ECDHE-RSA-AES128-SHA256 | ✓ | ✓ | ||
ECDHE-ECDSA-AES128-SHA | ✓ | ✓ | ||
ECDHE-RSA-AES128-SHA | ✓ | |||
ECDHE-ECDSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES256-SHA384 | ✓ | ✓ | ||
ECDHE-RSA-AES256-SHA384 | ✓ | ✓ | ||
ECDHE-RSA-AES256-SHA | ✓ | |||
ECDHE-ECDSA-AES256-SHA | ✓ | |||
AES128-GCM-SHA256 | ✓ | ✓ | ||
AES128-SHA256 | ✓ | ✓ | ||
AES128-SHA | ✓ | |||
AES256-GCM-SHA384 | ✓ | ✓ | ||
AES256-SHA256 | ✓ | ✓ |
TLS Policies for Inbound Web Access