Syntax for All Other Cipher Suite Specifications

For any cipher suite list that is not specified in a connection factory of a Java client, use the OpenSSL syntax. In particular, C clients and the ssl_server_ciphers configuration parameter require OpenSSL syntax.

While the full syntax of OpenSSL cipher suite selection is supported for TLSv1.2 cipher suites, we recommend using a simplified form based on the SECLEVEL directive. (See the OpenSSL documentation on SECLEVEL for details at https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html.) For instance, a cipher specification consisting of only @SECLEVEL=2 will yield a set of ciphers that is secure, but maintains a moderate level of backward compatibility.

In OpenSSL syntax, specifying a cipher suite name adds that cipher suite to the list. Each cipher suite name can be preceded by a qualifier. Cipher suite names are case-sensitive. The following table describes the qualifiers available using OpenSSL syntax.

Note: The syntax described in the table below only applies to TLSv1.2 cipher suites. TLSv1.3 connections are subject only to the SECLEVEL restrictions. TLSv1.3 cipher suites always take priority over TLSv1.2 ones.
Qualifier Description
/ When entered as the first item in the list, this option causes EMS to begin with an empty list, and add the ciphers that follow the slash.

If the / does not prefix the cipher list, then EMS prefixes the cipher list with the OpenSSL cipher string DEFAULT.

This modifier can only be used at the beginning of the list. If the / appears elsewhere, the syntax of the cipher suite list will be incorrect and cause an error.

+ Moves the cipher to the end of the list.

This qualifier is used to move an existing cipher. It can not be used to add a new cipher to the list.

- Remove the cipher from the list of ciphers. When this option is used, the cipher can be added later on in the list of ciphers.
! Permanently disable the cipher within the list of ciphers. Use this option if you wish to remove a cipher and you do not want later items in the list to add the cipher to the list. This qualifier takes precedence over all other qualifiers.
ALL All ciphers from the list (except null ciphers). You can use this keyword to add or remove all ciphers.

At least one cipher suite must be present or the TLS connection fails to initialize. So, after using -ALL, you should add at least one cipher to the list.

This example specifies cipher suites in the ssl_server_ciphers configuration parameter. 

ssl_server_ciphers = -ALL:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
This example illustrates disabling ECDHE-RSA-AES128-GCM-SHA256, then adding all other ciphers: 
ssl_server_ciphers = !ECDHE-RSA-AES128-GCM-SHA256:ALL