What SSL/TLS cipher suites should I support?

All Clover devices and servers follow industry best practices for SSL/TLS configuration.  To ensure interoperability, you must ensure that your servers use a compatible SSL/TLS configuration.

SSL/TLS Versions

Clover devices and servers are only guaranteed to support TLS 1.2.  Some devices and servers may support TLS 1.1 and TLS 1.0.  For security reasons, SSL 3.0 is not supported.

Cipher Suites

Clover devices and servers are only guaranteed to support the following cipher suites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384

Additional cipher suites may be supported on some servers and device models.

For security reasons, ciphers using HMAC-MD5, RC4, or single key DES are not supported.

Important

Clover only guarantees support for the above TLS versions and cipher suites. Alternative configurations may be supported by some devices and servers, but support may be removed at anytime.  For example, some cipher suites supported on Clover Station are not supported on Clover Mini, but Clover may remove support for these cipher suites at anytime.

 

Certificate Signatures

Only use SHA2 signed certificates with at least 2048 bit RSA keys.