Supported Cipher Suites
- Last UpdatedApr 28, 2025
- 3 minute read
The following cipher suites are supported by default by Imperva for secure communication over HTTPS. To enhance security, we recommend that you prioritize strong cipher suites and avoid weak ones whenever possible.
For details on customizing the TLS versions and cipher suites used by Imperva for connectivity between your website visitors and the Imperva service, see Customize Website TLS Configuration.
Note: Imperva has defined TLS 1.2 as the default minimum supported version. If you need to support earlier versions, you must enable the Support All TLS Versions option. For details, see the TLS version support section in Web Protection - SSL/TLS.
ECC/RSA certificate cipher suite support
The TLS 1.3 ciphers listed below are supported by both RSA and ECC certificates.
For earlier TLS versions, the ciphers listed below with ECDSA in the name are relevant only to ECC certificates. All other ciphers are relevant only to RSA certificates.
Supported ciphers between visitors and Imperva
Following are the ciphers currently supported by Imperva. We recommend using strong ciphers to ensure security and avoiding weak ciphers, as they will likely be deprecated in the future.
TLS 1.3
All TLS 1.3 ciphers are strong and provide improved security and performance.
| Standard Name (RFC) | OpenSSL Name |
Supported by these Imperva predefined profiles |
Cipher Strength |
|---|---|---|---|
| TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 |
Default Enhanced Security |
Strong |
| TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 |
Default Enhanced Security |
Strong |
| TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 |
Default Enhanced Security |
Strong |
TLS 1.2
Prefer GCM and CHACHA20-based ciphers with ECDHE. Avoid CBC mode, RSA key exchange, and 3DES due to known vulnerabilities.
TLS 1.1 and 1.0
Supported ciphers between Imperva and the origin server
Imperva proxies connect to the origin server declaring support for TLS 1.3.
If the origin server chooses an earlier TLS version, the proxy will accept it.
When TLS version 1.2 or earlier is chosen by the origin server, it can use ciphers from the TLS 1.2 list below that are available in the TLS version chosen.
TLS 1.3
| Standard Name (RFC) | OpenSSL Name | Cipher Strength |
|---|---|---|
| TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 | Strong |
| TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 | Strong |
| TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 | Strong |