TLS 1.3 Protocol Configuration and Supported Algorithms

TLS 1.3 is fully supported across all IPWorks editions and can be enabled in both client and server components. Once enabled, the component handles protocol negotiation automatically using modern cryptographic defaults designed for secure communication.

Configuration and Defaults

TLS 1.3 can be enabled using the SSLEnabledProtocols setting:

component.Config("SSLEnabledProtocols=12288"); // TLS 1.3

When TLS 1.3 is enabled, the component automatically uses the internal security implementation by setting UseInternalSecurityAPI to True, avoiding reliance on external system libraries.

The following cipher suites are enabled by default:

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256

Signature Algorithms

TLS 1.3 supports a predefined set of signature algorithms used during authentication. These are enabled by default and generally do not require modification:

• ed25519
• ed448
• ecdsa_secp256r1_sha256
• ecdsa_secp384r1_sha384
• ecdsa_secp521r1_sha512
• rsa_pkcs1_sha256
• rsa_pkcs1_sha384
• rsa_pkcs1_sha512
• rsa_pss_sha256
• rsa_pss_sha384
• rsa_pss_sha512

Supported Groups and Key Exchange

Key exchange groups define how secure session keys are established during TLS negotiation.

Supported Groups

The TLS13SupportedGroups setting defines available (EC)DHE groups used during key exchange:

• ecdhe_x25519
• ecdhe_x448
• ecdhe_secp256r1
• ecdhe_secp384r1
• ecdhe_secp521r1
• ffdhe_2048
• ffdhe_3072
• ffdhe_4096
• ffdhe_6144
• ffdhe_8192

Key Share Optimization

The TLS13KeyShareGroups setting controls which groups are pre-generated to improve handshake performance:

• ecdhe_x25519 (default)
• ecdhe_secp256r1 (default)
• ecdhe_secp384r1 (default)
• ffdhe_2048 (default)
• ffdhe_3072 (default)
• Additional groups such as ecdhe_x448, ecdhe_secp521r1, and larger FFDHE values are available when required

In most scenarios, default values provide the best balance between security and performance without requiring changes.