This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Appian Cloud allows customers to configure web access to Appian environments using different TLS policies. This article outlines the differences between supported policies so that customers can determine the correct one for their needs.
The default TLS 1.2 policy requires users to access the environment using TLS 1.2. This policy supports the use of forward secrecy cipher suites for clients that support it, but can fall back to cipher suites without forward secrecy to support older web clients.
This is the default policy for Appian Cloud environments, portals, and process mining environments, as it offers the security of TLS 1.2 with forward secrecy while maintaining compatibility with older systems that do not support forward secrecy.
This policy is similar to the default TLS 1.2 policy, but it only allows clients to access environments using cipher suites that support forward secrecy. Additionally, this policy disables cipher suites that include the CBC block cipher. This policy can be enabled upon customer request by creating an Appian Support case.
Tip: TLS 1.2 strict policy is not supported for Process Mining and Portals.
The following table shows a side-by-side comparison of the cipher suites supported by each of Appian Cloud's TLS policies.
OpenSSL cipher suite | TLS 1.2 default | TLS 1.2 strict |
---|---|---|
ECDHE-ECDSA-AES128-GCM-SHA256 | ✓ | ✓ |
ECDHE-RSA-AES128-GCM-SHA256 | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA256 | ✓ | |
ECDHE-RSA-AES128-SHA256 | ✓ | |
ECDHE-ECDSA-AES128-SHA | ✓ | |
ECDHE-RSA-AES128-SHA | ✓ | |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✓ | ✓ |
ECDHE-RSA-AES256-GCM-SHA384 | ✓ | ✓ |
ECDHE-ECDSA-AES256-SHA384 | ✓ | |
ECDHE-RSA-AES256-SHA384 | ✓ | |
ECDHE-RSA-AES256-SHA | ✓ | |
ECDHE-ECDSA-AES256-SHA | ✓ | |
AES128-GCM-SHA256 | ✓ | |
AES128-SHA256 | ✓ | |
AES128-SHA | ✓ | |
AES256-GCM-SHA384 | ✓ | |
AES256-SHA256 | ✓ | |
AES256-SHA | ✓ |