The following cipher suites are supported by default by Imperva for secure communication over HTTPS. To enhance security, we recommend that you prioritize strong cipher suites and avoid weak ones whenever possible.

For details on customizing the TLS versions and cipher suites used by Imperva for connectivity between your website visitors and the Imperva service, see Customize Website TLS Configuration.

Note: Imperva has defined TLS 1.2 as the default minimum supported version. If you need to support earlier versions, you must enable the Support All TLS Versions option. For details, see the TLS version support section in Web Protection - SSL/TLS.

ECC/RSA certificate cipher suite support

The TLS 1.3 ciphers listed below are supported by both RSA and ECC certificates.

For earlier TLS versions, the ciphers listed below with ECDSA in the name are relevant only to ECC certificates. All other ciphers are relevant only to RSA certificates.

Supported ciphers between visitors and Imperva

Following are the ciphers currently supported by Imperva. We recommend using strong ciphers to ensure security and avoiding weak ciphers, as they will likely be deprecated in the future.

TLS 1.3

All TLS 1.3 ciphers are strong and provide improved security and performance.

Standard Name (RFC) OpenSSL Name

Supported by these Imperva predefined profiles

Cipher Strength
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256

Default

Enhanced Security

Strong
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256

Default

Enhanced Security

Strong
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384

Default

Enhanced Security

Strong

TLS 1.2

Prefer GCM and CHACHA20-based ciphers with ECDHE. Avoid CBC mode, RSA key exchange, and 3DES due to known vulnerabilities.

TLS 1.1 and 1.0

Supported ciphers between Imperva and the origin server

Imperva proxies connect to the origin server declaring support for TLS 1.3.

If the origin server chooses an earlier TLS version, the proxy will accept it.

When TLS version 1.2 or earlier is chosen by the origin server, it can use ciphers from the TLS 1.2 list below that are available in the TLS version chosen.

TLS 1.3

Standard Name (RFC) OpenSSL Name Cipher Strength
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 Strong
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256 Strong
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 Strong

TLS 1.2

See also: