Details of the API security model and supported protocols.
Transport Layer Security (TLS) Protocol
After consultation with the Infrastructure Security, Operational Security and Spine DDC teams TLSv1.2 SSL protocol SHALL be supported.
Supported Ciphers
After consultation with the Infrastructure Security, Operational Security and Spine DDC teams the following SSL ciphers SHALL be supported.
Important: The list of supported ciphers is ordered in order of preference (i.e. the first item being the most preferred).
AESGCM+EECDHAESGCM+EDHAES256+EECDHAES256+EDH
Note: GCM (Galois Counter Mode) suites are preferred as these are resistant to timing attacks1.
Important: A Java 8 (or above) Runtime Environment and/or an upto date version of OpenSSL is required to support the GCM cipher suites.
1Digitcert - SSL Support Enabling Perfect Forward Secrecy
Tomcat OpenSSL Support Using The APR/Native Provider
- SSLCipherSuite =
AESGCM+EECDH,AESGCM+EDH,AES256+EECDH,AES256+EDH - SSLHonorCipherOrder =
true - SSLProtocol =
TLSv1.2 - SSLVerifyClient =
require
Please see the Tomcat Config HTTP SSL Support webpage for more details.
External Documents / Policy Documents
| Name | Author | Version | Updated |
| Approved Cryptographic Algorithms Good Practice Guidelines | NHS Digital | v4.0 | 13/07/2016 |
| Warranted Environment Specification (WES) | NHS Digital | v1.0 | June 2015 |