|
This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Appian Cloud allows customers to configure web access to Appian environments using different TLS policies. This article outlines the differences between supported policies so that customers can determine the correct one for their needs.
The permissive TLS 1.2 policy requires clients to access the environment using TLS 1.2. This policy supports the use of forward secrecy cipher suites for clients that support it, but can fall back to cipher suites without forward secrecy to support legacy clients.
This is the default policy for Appian Cloud environments and portals, as it offers the security of TLS 1.2 with forward secrecy while maintaining compatibility with older systems that do not support forward secrecy.
This policy is similar to the permissive TLS 1.2 policy, but it only allows clients to access environments using cipher suites that support forward secrecy. Additionally, this policy disables cipher suites that include the CBC block cipher. This policy can be enabled upon customer request by creating an Appian Support case.
Tip: TLS 1.2 strict policy is not supported for portals and static content delivery.
This policy supports TLS 1.3 with fallback to TLS 1.2. It includes support for the same cipher suites as the TLS 1.2 permissive policy.
Tip: TLS 1.3/1.2 permissive policy is only supported for selected environments in US GovCloud regions.
This policy supports TLS 1.3 with fallback to TLS 1.2. It includes support for the the same cipher suites as the TLS 1.2 strict policy.
Tip: TLS 1.3/1.2 strict policy is only supported for selected environments in US GovCloud regions
The following table shows a side-by-side comparison of the cipher suites supported by each of Appian Cloud's TLS policies.
| OpenSSL cipher suite | TLS 1.2 permissive | TLS 1.2 strict | TLS 1.3/1.2 permissive | TLS 1.3/1.2 strict |
|---|---|---|---|---|
| TLS_AES_128_GCM_SHA256 | ✓ | ✓ | ||
| TLS_AES_256_GCM_SHA384 | ✓ | ✓ | ||
| ECDHE-ECDSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ |
| ECDHE-RSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ |
| ECDHE-ECDSA-AES128-SHA256 | ✓ | ✓ | ||
| ECDHE-RSA-AES128-SHA256 | ✓ | ✓ | ||
| ECDHE-ECDSA-AES128-SHA | ✓ | ✓ | ||
| ECDHE-RSA-AES128-SHA | ✓ | |||
| ECDHE-ECDSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ |
| ECDHE-ECDSA-AES256-SHA384 | ✓ | ✓ | ||
| ECDHE-RSA-AES256-SHA384 | ✓ | ✓ | ||
| ECDHE-RSA-AES256-SHA | ✓ | |||
| ECDHE-ECDSA-AES256-SHA | ✓ | |||
| AES128-GCM-SHA256 | ✓ | ✓ | ||
| AES128-SHA256 | ✓ | ✓ | ||
| AES128-SHA | ✓ | |||
| AES256-GCM-SHA384 | ✓ | ✓ | ||
| AES256-SHA256 | ✓ | ✓ |
TLS Policies for Inbound Web Access
