Transport layer encryption

Bosch IoT Hub uses encryption for all connectivity. This is accomplished by using industry standard TLS protocol for all TCP-based endpoints and DTLS for UDP-based endpoints.

Due to security best practices, IoT Hub does not allow potentially insecure protocols like SSL or TLS lower than version 1.2.

Supported encryption protocols

Protocol Supported
SSL any version No
TLS1.0 No
TLS1.1 No
TLS1.2 Yes
TLS1.3 Supported by Protocol Adapters for AMQP, HTTP, LoRa and MQTT
DTLS1.2 Supported by CoAP Protocol Adapter only

Supported TLS cipher suites

Supported cipher suites ordered by encryption strength

TCP-based Protocol adapters (AMQP, HTTP, LoRa and MQTT)

TLS Version Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Cipher Suite Name (OpenSSL) Remark
TLSv1.3 TLS_AES_128_GCM_SHA256 AES 128 TLS_AES_128_GCM_SHA256 Recommended
TLSv1.3 TLS_AES_256_GCM_SHA384 AES 256 TLS_AES_256_GCM_SHA384 Recommended
TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 AES 256 TLS_CHACHA20_POLY1305_SHA256 Recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH 256 AESGCM 256 ECDHE-RSA-AES256-GCM-SHA384 Recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDH 256 ChaCha20 256 ECDHE-RSA-CHACHA20-POLY1305 Recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH 256 AESGCM 128 ECDHE-RSA-AES128-GCM-SHA256 Recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH 256 AES 256 ECDHE-RSA-AES256-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_GCM_SHA384 RSA AESGCM 256 AES256-GCM-SHA384 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA RSA AES 256 AES256-SHA Not recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH 256 AES 128 ECDHE-RSA-AES128-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_GCM_SHA256 RSA AESGCM 128 AES128-GCM-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES 128 AES128-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES 168 DES-CBC3-SHA Not recommended

UDP-based protocol adapter (CoAP)

DTLS Version Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Remark
DTLS 1.2 TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ECDHE PSK AES GCM 128 Recommended
DTLS 1.2 TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA378 ECDHE PSK AES GCM 256 Recommended
DTLS 1.2 TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 ECDHE PSK AES CCM 8 128 Recommended
DTLS 1.2 TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 ECDHE PSK AES CCM 128 Recommended
DTLS 1.2 TLS_PSK_WITH_AES_128_GCM_SHA256 PSK AES GCM 128 Not recommended
DTLS 1.2 TLS_PSK_WITH_AES_256_GCM_SHA378 PSK AES GCM 256 Not recommended
DTLS 1.2 TLS_PSK_WITH_AES_128_CCM_8 PSK AES CCM 8 128 Not recommended
DTLS 1.2 TLS_PSK_WITH_AES_256_CCM_8 PSK AES CCM 8 256 Not recommended
DTLS 1.2 TLS_PSK_WITH_AES_128_CCM PSK AES CCM 128 Not recommended
DTLS 1.2 TLS_PSK_WITH_AES_256_CCM PSK AES CCM 256 Not recommended
DTLS 1.2 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE PSK AES CBC 128 Not recommended
DTLS 1.2 TLS_PSK_WITH_AES_128_CBC_SHA256 PSK AES CBC 128 Not recommended

Manage endpoint

TLS Version Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Cipher Suite Name (OpenSSL) Remark
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH 256 AESGCM 256 ECDHE-RSA-AES256-GCM-SHA384 Recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH 256 AESGCM 128 ECDHE-RSA-AES128-GCM-SHA256 Recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH 256 AES 256 ECDHE-RSA-AES256-SHA384 Not recommended
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH 256 AES 128 ECDHE-RSA-AES128-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_GCM_SHA384 RSA AESGCM 256 AES256-GCM-SHA384 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA256 RSA AES 256 AES256-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_GCM_SHA256 RSA AESGCM 128 AES128-GCM-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 RSA AES 128 AES128-SHA256 Not recommended

Messaging endpoint

TLS Version Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Cipher Suite Name (OpenSSL) Remark
TLSv1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH 2048 AESGCM 256 DHE-RSA-AES256-GCM-SHA384 Recommended
TLSv1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH 2048 AESGCM 128 DHE-RSA-AES128-GCM-SHA256 Recommended
TLSv1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH 2048 AES 256 DHE-RSA-AES256-SHA256 Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 2048 AES 256 DHE-RSA-AES256-SHA Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH 2048 AES 128 DHE-RSA-AES128-SHA256 Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH 2048 AES 128 DHE-RSA-AES128-SHA Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH 2048 Camellia 256 DHE-RSA-CAMELLIA256-SHA Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH 2048 Camellia 128 DHE-RSA-CAMELLIA128-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA RSA Camellia 256 CAMELLIA256-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA RSA Camellia 128 CAMELLIA128-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_GCM_SHA384 RSA AESGCM 256 AES256-GCM-SHA384 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_GCM_SHA256 RSA AESGCM 128 AES128-GCM-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA256 RSA AES 256 AES256-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA RSA AES 256 AES256-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 RSA AES 128 AES128-SHA256 Not recommended
TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES 128 AES128-SHA Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH 2048 3DES 112 DHE-RSA-DES-CBC3-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES 168 DES-CBC3-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES 128 RC4-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES 168 RC4-MD5 Not recommended
TLSv1.2 TLS_DHE_RSA_WITH_SEED_CBC_SHA DH 2048 SEED 128 DHE-RSA-SEED-SHA Not recommended
TLSv1.2 TLS_RSA_WITH_SEED_CBC_SHA RSA SEED 128 SEED-SHA Not recommended
Corporate information Data protection notice Legal information Support Free plans