Communications
TLSv1.3 is the default for all communications. When the peer does not support TLSv1.3 then TLSv1.2 will be used as a fallback. The tunnel protocol used for the VPN connection can be configured in Sites>General.
Appliance to Appliance communication
nginx_peer_ciphers = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
Mutual Certificate based authentication with DN checking is used for communications between appliances (port 443)
Client and Admin to Appliance communication (defaults)
nginx_client_ciphers = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES-256-GCM-SHA384
nginx client on 443 and 8443
SSH to appliance
Ciphers = AES-256-CTR, AES-192-CTR, AES-128-CTR
Client to Gateway tunnel
Cipher = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
Mutual Certificate based authentication with DN checking is used for communications
Single Packet Authorization
Cipher = AES-256-GCM
Appliance certificate generated by Controller
SHA512 with RSA, keysize 4096
Is a Certificate Authority, Maximum number of intermediate CAs: 0, basicConstraints = critical, CA:true, pathlen:0, keyUsage = critical, digitalSignature, cRLSign, keyCertSign
The CA cert is used for the controller-client authentication to communicate with appliances: extendedKeyUsage = clientAuth, serverAuth
Claims and Entitlement Token encryption
Cipher = AES-256-CTR
Database Encryption
Cipher = AES-256-CTR
Backup file
Cipher = GPG symmetric (AES-256-CFB)
FIPS
6.4.1 and later Desktop Clients complies to FIPS 140-3.
6.4.1 and later Appliances complies to FIPS 140-3 when it comes to Appliance to Appliance and Client to Appliance communication.
See https://csrc.nist.gov/publications/detail/fips/140/3/final.
Appgate SDP uses the wolfCrypt module. See https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/4718.
6.4.0 Desktop Clients and Appliances complies to FIPS 140-2.