ThingWorx Edge C SDK > Using SSL/TLS for Security > Support for Cipher Suites
Support for Cipher Suites
The C SDK supports the default cipher suites of Apache Tomcat up to and including Tomcat 8.0.33. Subsequent versions of Tomcat may exclude ciphers that are used by earlier versions of OpenSSL and therefore could prevent the C SDK from connecting to the server in question (a ThingWorx platform).
With OpenSSL, you can choose from 110 ciphers. For more information about the supported cipher suites, visit
As of release 2.2.1 of the C SDK, axTLS is no longer provided in the distribution bundle. For best security practices, use OpenSSL. In addition, as of release 2.2.1, the version of OpenSSL in the non-FIPS 32– and 64–bit distribution bundles of the C SDK is 1.0.2q. The version of OpenSSL in the FIPS distribution bundle is 1.0.2l.
Custom Cipher Suites
As of v.2.1.2 of the C SDK, you can customize what cipher suites are used at run time through a C SDK parameter. Called cipher_set, this parameter has been added to the twcfg data structure of the C SDK. This parameter allows you to specify a string that contains your cipher suite configuration. This parameter is supported only for builds that are based on OpenSSL. When specifying a string, use the OpenSSL cipher list configuration format, which you can find at
If you do not specify any cipher suites, secure defaults are used. The default string is set in twOpenSSL.h as follows:
If FIPS mode is enabled, any configuration that you may have entered is ignored. Instead, the following configuration string is used:
The file, twNoTls.h, sets the cipher suite to null because the functionality is not supported in the build.
You will see a warning if the C SDK detects a different OpenSSL version being used at run time than the version with which the application was built.
A Note About Cipher Suites
If your application communicates with an instance of the ThingWorx platform that uses Java 1.7, the cipher suite list should include !kEDH (as shown below) to disable Ephemeral Diffie-Hellman ciphers. Otherwise, Ephemeral Diffie-Hellman (EDH) key exchange will fail, and your device application will be unable to connect to the ThingWorx platform.