Compatible ciphers
Puppet Enterprise (PE) is compatible with a variety of ciphers for different services.
Most TLSv1.2 ciphers are available in IANA or OpenSSL format, depending on the service it's used for. You can use the same TLSv1.3 ciphers interchangeably for OpenSSL and IANA formats.
Use IANA format for these services on TLSv1.2:
Use OpenSSL format for these services on TLSv1.2:
To use TLSv1.3, you must enable both TLSv1.2 and TLSv1.3.
To use ECDSA ciphers, you must use your own CA certificates with ECC keys, rather than Puppet Server-generated certificates.
The following table describes the default TLSv1.2 and TLSv1.3 ciphers PE accepts for FIPS and non-FIPS installations. If you use an unsupported cipher, it is rejected when the service tries to establish a connection.
| Ciphers in IANA format | Ciphers in OpenSSL format | TLS protocol | FIPS support |
|---|---|---|---|
TLS_AES_256_GCM_SHA384
|
TLS_AES_256_GCM_SHA384 | TLSv1.3 | Yes |
TLS_AES_128_GCM_SHA256
|
TLS_AES_128_GCM_SHA256 | TLSv1.3 | Yes |
TLS_CHACHA20_POLY1305_SHA256
|
TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 | No |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
ECDHE-ECDSA-CHACHA20-POLY1305
|
TLSv1.2 | No |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
ECDHE-RSA-CHACHA20-POLY1305
|
TLSv1.2 | No |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
ECDHE-ECDSA-AES128-GCM-SHA256
|
TLSv1.2 | Yes |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
ECDHE-ECDSA-AES256-GCM-SHA384
|
TLSv1.2 | Yes |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
ECDHE-RSA-AES128-GCM-SHA256
|
TLSv1.2 | Yes |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
DHE-RSA-AES256-GCM-SHA384
|
TLSv1.2 | No |
