Question

In CDS Transaction Security, the following cipher suites are listed:

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Our implementation is unable to support the following two ciphers as they are deemed insecure:

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Is this acceptable?

Answer

Supporting only two of the listed cipher suites is perfectly acceptable. The CDS Transaction Security section states that only those four ciphers shall be permitted. The Data Holder has discretion to choose which of those ciphers to support.