Security/Server Side TLS

admin

url：https://wiki.mozilla.org/Security/Server_Side_TLS#userconsent# 8 _7 r/ `+ }$ `$ `, x' @: P, B The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below. 4 H8 u; O  }5 e( w                                登录/注册后可看大图 The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams. Updates to this page should be submitted to the source repository on github. If you are looking for the configuration generator, click the image below: * ~" G: {( a( r; d/ x3 { * Y7 H" W& O9 W6 L3 G* c) A9 g/ A" u                                登录/注册后可看大图

Recommended configurations

Three configurations are recommended. Pick the right configuration depending on your audience. If you do not need backward compatibility, and are building a service for modern clients only (post Firefox 27/Chrome 22), then use the Modern configuration. Otherwise, prefer the Intermediate configuration. Use the Old backward compatible configuration only if your service will be accessed by very old clients, such as Windows XP IE6, or ancient libraries & bots.

Configuration	Oldest compatible client
Modern	Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8
Intermediate	Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
Old	Windows XP IE6, Java 6

Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL. If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite and let OpenSSL pick the ones it supports.

The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. Each level shows the list of algorithms returned by its ciphersuite. If you have to pick ciphers manually for your application, make sure you keep the ordering.

Modern compatibility

For services that don't need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.

• Ciphersuites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
• Versions: TLSv1.2
• TLS curves: prime256v1, secp384r1, secp521r1
• Certificate type: ECDSA
• Certificate curve: prime256v1, secp384r1, secp521r1
• Certificate signature: sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512
• RSA key size: 2048 (if not ecdsa)
• DH Parameter size: None (disabled entirely)
• ECDH Parameter size: 256
• HSTS: max-age=15768000
• Certificate switching: None
  

[color=white !important][size=1em]?

- E: {  T: a- ?7 H+ g* F6 b

[size=1em]1 [size=1em]2 9 e4 g! M& B* n8 R; C+ g8 z- R [size=1em]3 [size=1em]4 , r: V9 o, q+ q9 i [size=1em]5 [size=1em]6 [size=1em]7 . Y$ u- d: c. ]/ [: O4 n [size=1em]8 * ~- n* U" O% Z" l0 i& Q! o [size=1em]9 5 g, @, y- \6 Q  u6 ^ [size=1em]10

[size=1em][size=1em]0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD " n" @! c) z3 `+ k9 d; U[size=1em]0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD [size=1em]0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD 9 s! X0 ~0 Q* W; \[size=1em]0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD & r, G9 m+ [; Y. @7 @4 L[size=1em]0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD [size=1em]0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD [size=1em]0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384 [size=1em]0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384 ; t. |6 q/ I3 U[size=1em]0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256 3 U0 g5 _& b8 l4 x- {( g2 w2 q& B' w[size=1em]0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256 ( `  n: g: y( o. t+ h- f 3 T1 z$ B7 E* \* l4 n& @& ]3 Y4 c

! M, U  o  f# ~3 I  W1 I

Rationale:

• AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES.
• We recommend ECDSA certificates with P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.
• DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.
• SHA1 signature algorithm is removed in favor of SHA384 for AES256 and SHA256 for AES128.
  

Intermediate compatibility (default)

For services that don't need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.

• Ciphersuites: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
• Versions: TLSv1.2, TLSv1.1, TLSv1
• TLS curves: prime256v1, secp384r1, secp521r1
• Certificate type: RSA
• Certificate curve: 'None
• Certificate signature: sha256WithRSAEncryption
• RSA key size: 2048
• DH Parameter size: 2048
• ECDH Parameter size: 256
• HSTS: max-age=15768000
• Certificate switching: None
  2 Y2 H) b7 r* }+ A2 ?5 X) P

[color=white !important][size=1em]?

[size=1em]1 [size=1em]2 # v2 {, z& U+ C8 R* A [size=1em]3 1 W1 p2 y" E2 h [size=1em]4 - l7 o5 h5 T5 }8 H% M* V/ q [size=1em]5 * _% `, L2 f4 h& X# u [size=1em]6 6 F& K+ v; z: i- D" ~ [size=1em]7 6 T& Q' g5 }2 ^6 q2 v) s6 ^ [size=1em]8 [size=1em]9 ( P' f* S  w4 i- a8 ?$ S3 Q [size=1em]10 [size=1em]11 [size=1em]12 4 Y' C! [7 G& y% T+ c$ h [size=1em]13 [size=1em]14 $ h7 _0 q/ t( l: @ [size=1em]15 [size=1em]16 [size=1em]17 ! Y: N0 y+ U. ?6 ? [size=1em]18 [size=1em]19 0 K) P' C2 G8 E9 E  G3 ]0 Y [size=1em]20 0 Q$ j. i. O# v& v3 g9 O# v [size=1em]21 [size=1em]22 0 }1 a3 r- e2 Q/ x) h [size=1em]23 [size=1em]24 [size=1em]25   P% j; r. x0 T2 u9 J& X0 N3 d! k. ` [size=1em]26 [size=1em]27 [size=1em]28 2 c- J% `+ X, {* n1 } [size=1em]29 8 E  R; L3 Y9 t8 y7 T [size=1em]30 % I" Z9 R" v' |) g: Z4 \9 j

[size=1em][size=1em]0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD 9 h" v- M" S( Y[size=1em]0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD [size=1em]0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD ! A+ Y$ i! {3 W$ q' G[size=1em]0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD 3 C) ]8 V' f. C, T[size=1em]0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD [size=1em]0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD [size=1em]0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD 6 n6 t/ S* y( ~7 m  n[size=1em]0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD [size=1em]0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256 8 L  H+ b  l+ l4 L& D- M* Q[size=1em]0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256 7 i* b3 G) n$ [[size=1em]0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1 4 w/ g$ q( R  {* w4 D+ n' W4 K% w[size=1em]0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384 [size=1em]0xC0,0x13  -  ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1 [size=1em]0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384 [size=1em]0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1 ; ?9 u* h! r8 M2 u[size=1em]0xC0,0x14  -  ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1 [size=1em]0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256 + ]: w- A) t5 ^+ T& [9 z[size=1em]0x00,0x33  -  DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1 - P5 K0 K3 a+ N5 m& q5 h: w7 s[size=1em]0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256 * V* J+ ?) w; J5 p+ b. o[size=1em]0x00,0x39  -  DHE-RSA-AES256-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1 [size=1em]0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA       SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1 [size=1em]0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA         SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1 ; A' b6 q5 o' H3 m. l% Y[size=1em]0x00,0x16  -  EDH-RSA-DES-CBC3-SHA           SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1 [size=1em]0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD [size=1em]0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD 8 b; j0 M, p4 x7 `& p[size=1em]0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256 0 T5 d' c: U% G[size=1em]0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256 [size=1em]0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1 2 y/ i; Y7 o6 `% j[size=1em]0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1 2 q! ~3 C% t/ b% l* S/ o6 U[size=1em]0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1 + p% N5 y! I+ w) G8 z& p, H: M! G

1 K& |9 v! `) t( w+ s; m$ s* r
2 u. ]; Z% o' b8 y5 ^

Rationale:

• ChaCha20 is prefered as the fastest and safest in-software cipher, followed but AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions (1, 2) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
• DES-CBC3-SHA and EDH-RSA-DES-CBC3-SHA are maintained for backward compatibility with clients that do not support AES.
• While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).
  ! ^: M; B4 O( C, g! \  i2 v& W

Old backward compatibility

This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.

• Ciphersuites: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
• Versions: TLSv1.2, TLSv1.1, TLSv1, SSLv3
• TLS curves: prime256v1, secp384r1, secp521r1
• Certificate type: RSA
• Certificate curve: 'None
• Certificate signature: sha256WithRSAEncryption
• RSA key size: 2048
• DH Parameter size: 1024
• ECDH Parameter size: 256
• HSTS: max-age=15768000
• Certificate switching: sha1WithRSAEncryption
  0 j/ {3 W$ U! a$ o

[color=white !important][size=1em]?

[size=1em]1 [size=1em]2 [size=1em]3 8 U+ M$ a8 S% r# {" m# y. M: G2 t [size=1em]4 & ?. N  {4 w9 u9 n) q" v) m [size=1em]5 [size=1em]6 " r7 b* n- L" h* X8 {' w; m$ Q1 g [size=1em]7 [size=1em]8 [size=1em]9 [size=1em]10 [size=1em]11 [size=1em]12 [size=1em]13 " K1 V  S. _- C* J9 t [size=1em]14 # e$ r" O% d/ |+ C) I" T [size=1em]15 [size=1em]16 [size=1em]17 [size=1em]18 [size=1em]19 2 g) i' G4 D; G3 E% n* M [size=1em]20 [size=1em]21 [size=1em]22 5 c' Q! ?9 ]* K6 _9 y( g [size=1em]23 : z, w3 E, j" M [size=1em]24 3 i2 d' p6 T9 V; j [size=1em]25 [size=1em]26 [size=1em]27 [size=1em]28 & q' v0 I7 v( h5 p! v [size=1em]29 - V4 B! ]/ Z8 m! F [size=1em]30 [size=1em]31 [size=1em]32 [size=1em]33 [size=1em]34 0 V3 h3 U' C, o [size=1em]35 " |2 \8 p( I+ r0 D3 |) t [size=1em]36 + \+ j3 H% P) D& D6 Y5 I* B [size=1em]37 4 x5 z7 A. {2 r+ P9 H- f1 d [size=1em]38 ( W2 {/ q# G$ c& b# w6 |2 E) l [size=1em]39 [size=1em]40 [size=1em]41 [size=1em]42 ! S9 t! J! V; @& Q; L( _ [size=1em]43 " E/ q: M% r  E  x [size=1em]44 2 U. |$ y) O! C, O9 X3 t [size=1em]45 0 M$ L7 g; e2 ]' U [size=1em]46 [size=1em]47 " O0 b7 D0 s% v" N% ^9 }; r! `% m [size=1em]48 6 B* n! |' P+ G4 S [size=1em]49 [size=1em]50 . b+ S# s" L/ [2 }# T8 Z" } [size=1em]51 5 }7 P4 v- s1 [/ U, r) h" l [size=1em]52 [size=1em]53 0 R$ r/ M1 T' i2 L; | [size=1em]54 1 ~1 H: i. I1 q& c8 q0 u* `& K( U [size=1em]55 . O6 }3 ~4 T* q3 Y [size=1em]56

[size=1em][size=1em]0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD 6 F# X+ X: p/ b7 `; p, t- {[size=1em]0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD . l: o! t) z( R# ]) N+ x+ h+ k) {! H* U[size=1em]0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD [size=1em]0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD 7 }! G  u8 b: x& o5 ?) Y$ X  I[size=1em]0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD [size=1em]0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD [size=1em]0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD 9 R3 [; l% T9 m+ d( c2 ~6 D[size=1em]0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(128)    Mac=AEAD [size=1em]0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(256)    Mac=AEAD [size=1em]0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD 5 s: q: I/ i; w[size=1em]0xC0,0x27  -  ECDHE-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256 [size=1em]0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256 [size=1em]0xC0,0x13  -  ECDHE-RSA-AES128-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1 [size=1em]0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1 ! f8 }& x+ L6 S! N0 G+ T7 y7 V+ m; E[size=1em]0xC0,0x28  -  ECDHE-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384 ; l# A* Q- J0 \8 E0 `9 z- r[size=1em]0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384 [size=1em]0xC0,0x14  -  ECDHE-RSA-AES256-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1 [size=1em]0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1 * Z, G2 p% ~0 |, e[size=1em]0x00,0x67  -  DHE-RSA-AES128-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256 [size=1em]0x00,0x33  -  DHE-RSA-AES128-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1 1 o% h  k% H" ?9 p[size=1em]0x00,0x40  -  DHE-DSS-AES128-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA256 - e! W; {8 V; X. A5 {[size=1em]0x00,0x6B  -  DHE-RSA-AES256-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256 [size=1em]0x00,0x38  -  DHE-DSS-AES256-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA1 3 t  U5 _% U% n+ I4 @2 F/ f[size=1em]0x00,0x39  -  DHE-RSA-AES256-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1 [size=1em]0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1 [size=1em]0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1 1 x; H# K( N8 g8 T, i+ d[size=1em]0x00,0x16  -  EDH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1 [size=1em]0x00,0x9C  -  AES128-GCM-SHA256               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD [size=1em]0x00,0x9D  -  AES256-GCM-SHA384               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD 6 _) @8 y" u7 E9 U3 Y( i( g[size=1em]0x00,0x3C  -  AES128-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256 [size=1em]0x00,0x3D  -  AES256-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256 . M1 w+ J# K- k7 h. `7 k[size=1em]0x00,0x2F  -  AES128-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1 [size=1em]0x00,0x35  -  AES256-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1 [size=1em]0x00,0x6A  -  DHE-DSS-AES256-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA256 [size=1em]0x00,0x32  -  DHE-DSS-AES128-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA1 [size=1em]0x00,0x0A  -  DES-CBC3-SHA                    SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1 8 `0 B/ Q6 v& l* K[size=1em]0x00,0x9A  -  DHE-RSA-SEED-SHA                SSLv3    Kx=DH    Au=RSA    Enc=SEED(128)      Mac=SHA1 [size=1em]0x00,0x99  -  DHE-DSS-SEED-SHA                SSLv3    Kx=DH    Au=DSS    Enc=SEED(128)      Mac=SHA1 [size=1em]0xCC,0x15  -  DHE-RSA-CHACHA20-POLY1305       TLSv1.2  Kx=DH    Au=RSA    Enc=ChaCha20(256)  Mac=AEAD [size=1em]0xC0,0x77  -  ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(256)  Mac=SHA384 [size=1em]0xC0,0x73  -  ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(256)  Mac=SHA384 [size=1em]0x00,0xC4  -  DHE-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA256 [size=1em]0x00,0xC3  -  DHE-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA256 [size=1em]0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA1 [size=1em]0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA1 $ m5 z) I" U( f, U[size=1em]0x00,0xC0  -  CAMELLIA256-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA256 ; t  x6 v" Y0 W2 Q) h[size=1em]0x00,0x84  -  CAMELLIA256-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA1 / k* j, Y6 U  y+ L4 N" R- k[size=1em]0xC0,0x76  -  ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(128)  Mac=SHA256 ; O# N" E; S$ I/ \* ]; o% A  d[size=1em]0xC0,0x72  -  ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(128)  Mac=SHA256 7 z8 R/ z- A1 v: q  p( t7 `/ i[size=1em]0x00,0xBE  -  DHE-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA256 , A5 `) ^$ F0 K8 u8 |[size=1em]0x00,0xBD  -  DHE-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA256 [size=1em]0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA1 2 a+ A2 x8 A& ~: z  n9 z! f[size=1em]0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA1 / `- |- T0 l( H9 B, [# W[size=1em]0x00,0xBA  -  CAMELLIA128-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA256 [size=1em]0x00,0x41  -  CAMELLIA128-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA1 [size=1em]0x00,0x96  -  SEED-SHA                        SSLv3    Kx=RSA   Au=RSA    Enc=SEED(128)      Mac=SHA1 8 f8 W7 x& e* _& T, H1 h! }2 U : G. O4 J$ j  b" p  [: w" u; Q

Rationale:

• You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.
• SSLv3 is enabled to support WinXP SP2 clients on IE.
• SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients, and SHA256 certs to all others. More information in the "Certificates Switching" section later in this document.
• Most ciphers that are not clearly broken and dangerous to use are supported
  ! Z7 m% P- }" H6 Q( U# j

JSON version of the recommendations

You can find the recommendations above in JSON format at the address https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json.

This location is permanent and can be referenced in scripts and tools. The file is versioned and will not change, to avoid breaking tools when we update the recommendations.

If you wish to point to the latest version of the recommendations, use this address: [https://statics.tls.security.mozilla.org/server-side-tls-conf.json. Be advised the above will always point to the latest version and will not provide backward compatibility. If you use it to automatically configure your servers without review, it may break things. Prefer the version-specific files instead.

Previous versions

• None
  , I0 W$ x, Z- G& A+ ?& [1 \  u

Mandatory discards

• aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks
• eNULL contains null-encryption ciphers (cleartext)
• EXPORT are legacy weak ciphers that were marked as exportable by US law
• RC4 contains ciphers that use the deprecated ARCFOUR algorithm
• DES contains ciphers that use the deprecated Data Encryption Standard
• SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
• MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm
  

Forward Secrecy

The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.

With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.

DHE handshake and dhparam

When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.

As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:

                               
登录/注册后可看大图

server key exchange message as displayed in Wireshark

" N+ L7 E2 E" W( C

" E# n/ j6 b, w                               
登录/注册后可看大图

client key exchange message as displayed in Wireshark

8 G$ a2 n. P' }5 ^: w- l- a9 }9 G/ F

• Server sends Client a SERVER KEY EXCHANGE message during the SSL Handshake. The message contains:
  • Prime number p
  • Generator g
  • Server's Diffie-Hellman public value A = g^X mod p, where X is a private integer chosen by the server at random, and never shared with the client. (note: A is called pubkey in wireshark)
  • signature S of the above (plus two random values) computed using the Server's private RSA key
    
• Client verifies the signature S
• Client sends server a CLIENT KEY EXCHANGE message. The message contains:
  • Client's Diffie-Hellman public value B = g^Y mod p, where Y is a private integer chosen at random and never shared. (note: B is called pubkey in wireshark)
    7 L- ~0 I$ v& r# ?5 T  {$ y
• The Server and the Client can now calculate the pre-master secret using each other's public values:
  • server calculates PMS = B^X mod p
  • client calculates PMS = A^Y mod p
    
• Client sends a CHANGE CIPHER SPEC message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES
  

The size of the prime number p constrains the size of the pre-master key PMS, because of the modulo operation. A smaller prime almost means weaker values of A and B, which could leak the secret values X and Y. Thus, the prime p should not be smaller than the size of the RSA private key.

[color=white !important][size=1em]?

[size=1em]1 $ s# X2 P7 o) Z% x) e+ f" |) A [size=1em]2 [size=1em]3 [size=1em]4 [size=1em]5 ) t3 ~5 Z2 e2 q, r [size=1em]6 [size=1em]7

[size=1em][size=1em]$ openssl dhparam 2048 [size=1em]Generating DH parameters, 2048 bit long safe prime, generator 2 [size=1em]..+..+...............+ 5 w& r, q0 E" [2 V+ O[size=1em]-----BEGIN DH PARAMETERS----- . \) X! U9 Z8 b& a  x[size=1em]MBYCEQCHU6UNZoHMF6bPtj21Hn/bAgEC..... [size=1em]...... [size=1em]-----END DH PARAMETERS----- . c, p1 u; l4 o- \7 k; y& t 6 ], W, M  P$ E* D' i2 S; y, M/ I

- S6 j6 g/ D" j# |7 QPre-defined DHE groups

In order to lower the burden of system administrators, several servers provide pre-computed DH groups. Unfortunately, the logjam report showed that it is very likely that a state-level adversary may have broken the most widely used 1024-bit DH group, Oakley group 2, standardized in rfc2409].

For this reason, the use of this group is considered unsafe and you should either:

• use a larger group, with a minimum size of 2048-bit, as recommended in the intermediate and modern configurations ;
• keep using a 1024-bit DH group if you need to (see #DHE_and_Java), but move away from Oakley group 2 and use a custom DH group instead, generated via the openssl dhparam 1024 command ;
• disable DHE altogether, relying on ECDHE for PFS if you don't support legacy clients lacking ECDHE support (see #DHE_and_ECDHE_support).
  + E& N. D% C  A/ _4 ]) k! O

It is currently assumed that standardized 2048 bits DH groups provide sufficient security to resist factorization attacks. However, the careful administrator should generate a random DH group instead of using a standardized one when setting up a new server, as advised by the [1] authors.

DHE and ECDHE support

Most modern clients that support both ECDHE and DHE typically prefer the former, because ECDHE provides faster handshakes than DHE ([2], [3]).

Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:

• Android < 3.0.0
• Java < 7
• OpenSSL < 1.0.0
  

Note that schannel on Windows XP technically support DHE, but only with DSA keys, making it unusable on the internet in practice.

DHE and Java

Java 6 and 7 do not support Diffie-Hellman parameters larger than 1024 bits. If your server expects to receive connections from java 6 clients and wants to enable PFS, it must provide a DHE parameter of 1024 bits.

If keeping the compatibility with Java < 7 is a necessity, thus preventing the use of large DH keys, three solutions are available:

• using custom 1024-bit DH parameters, different from Oakley group 2 ;
• if the software used does not support custom DH parameters, like Apache HTTPd < 2.2.30, it is possible to keep using the 1024-bit DH Oakley group 2, knowing these clients will be at risk from a state-level adversary ;
• it is also possible to completely disable DHE. This means that clients not supporting ECDHE will be reverting to static RSA, giving up Forward Secrecy.
  

The case of Java 7 is a bit different. Java 7 supports ECDHE ciphers, so if the server provides ECDHE and prioritizes it before DHE ciphers using server side ordering, then Java 7 will use ECDHE and not care about the size of the DHE parameter. In this situation, the server can use 2048 bits DHE parameters for all other clients.

However, if the server does not support ECDHE, then Java 7 will use DHE and fail if the parameter is larger than 1024 bits. When failing, the handshake will not attempt to fall back to the next cipher in line, but simply fail with the error "java.lang.RuntimeException: Could not generate DH keypair".

Java supported	ECDHE prioritized	smallest DH parameter size
6	irrelevant	1024
7	NO	1024
7	YES	2048
8	irrelevant	2048

" ~  s9 b3 T) t( AOCSP Stapling

When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.

OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. In fact, the OCSP responders operated by CAs are often so unreliable that browser will fail silently if no response is received in a timely manner. This reduces security, by allowing an attacker to DoS an OCSP responder to disable the validation.

The solution is to allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.

The server will send a cached OCSP response only if the client requests it, by announcing support for the status_request TLS extension in its CLIENT HELLO.

                               
登录/注册后可看大图

Most servers will cache OCSP response for up to 48 hours. At regular intervals, the server will connect to the OCSP responder of the CA to retrieve a fresh OCSP record. The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate. For example, with StartSSL:

Authority Information Access:      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca

Support for OCSP Stapling can be tested using the -status option of the OpenSSL client.

$ openssl s_client -connect monitor.mozillalabs.com:443 -status...======================================OCSP Response Data:    OCSP Response Status: successful (0x0)    Response Type: Basic OCSP Response    Version: 1 (0x0)...Session Resumption

Session Resumption is the ability to reuse the session secrets previously negotiated between a client and a server for a new TLS connection. This feature greatly increases the speed establishment of TLS connections after the first handshake, and is very useful for connections that use Perfect Forward Secrecy with a slow handshake like DHE.

Session Resumption can be performed using one of two methods:

• session identifier: When establishing a first session, the server generates an arbitrary session ID sent to the client. On subsequent connections, the client sends the session ID in the CLIENT HELLO message, indicating to the server it wants to reuse an existing state. If the server can find a corresponding state in its local cache, it reuse the session secrets and skips directly to exchanging encrypted data with the client. If the cache stored on the server is compromised, session keys from the cache can be used to decrypt past and future sessions.
• session tickets: Storing a cache on the server might be problematic for systems that handle very large numbers of clients. Session tickets provide an alternative where the server sends the encrypted state (ticket) to the client instead of storing it in its local cache. The client can send back the encrypted state to the server in subsequent connections, thus allowing session resumption. This method requires symmetric keys on the server to encrypt and decrypt session tickets. If the keys are compromised, an attacker obtains access to session keys and can decrypt past and future sessions.
  

Session resumption is a very useful performance feature of TLS, but also carries a significant amount of risk. Most servers do not purge sessions or ticket keys, thus increasing the risk that a server compromise would leak data from previous (and future) connections.

The current recommendation for web servers is to enable session resumption and benefit from the performance improvement, but to restart servers daily when possible. This ensure that sessions get purged and ticket keys get renewed on a regular basis.

HSTS: HTTP Strict Transport Security

HSTS is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.

The header format is very simple, composed only of a max-age parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15768000 seconds, or 6 months.

Strict-Transport-Security: max-age=15768000

HSTS is becoming more and more of a standard, but should only be used when the site's operators are confident that HTTPS will be available continuously for the duration of max-age. Once the HSTS header is sent to client, HTTPS cannot be disabled on the site until the last client has expired its HSTS record.

HPKP: Public Key Pinning Extension for HTTP

See RFC7469.

HPKP is an experimental HTTP header sent by a server to a client, to indicate that some certificates related to the site should be pinned in the client. The client would thus refuse to establish a connection to the server if the pining does not comply.

Due to its experimental nature, HPKP is currently not recommended on production sites. More informations can be found on the MDN description page.

Certificates Switching

Certificates Switching is a technique by which a server provides a different X.509 certificate to a client based on specific selection criteria. This technique is used primarily to maintain backward compatibility with very old clients, such as Internet Explorer 6 on Windows XP SP2.

On XPSP2, IE6 is only able to establish connections to servers that provide a certificate signed with sha1WithRSAEncryption. Those certificates are note issued by modern CAs anymore, and all sites have been encouraged to upgrade to SHA-256 certificates. As modern browsers gradually block connections backed by SHA-1 certificates, sites that need to maintain compatibility with XPSP2 must implement certificates switching to provide a SHA-1 cert to old clients and a SHA-256 cert to modern ones.

Certificate switching can be implemented in various ways. A simplistic approach is to select the certificate based on the protocol version (SHA-256 to TLS clients, SHA-1 to SSLv3 ones). A more sophisticated approach consists at looking inside the CLIENT HELLO for SHA-256 support in the "signature_algorithms" extension.

Few servers currently support cert switching. It is possible to implement it using HAProxy, and vendors like Cloudflare propose it in their offering.

Recommended Server Configurations

All configuration samples have been moved to the configuration generator and the Security/TLS_Configurations archive. Access the generator by clicking the image below:

                               
登录/注册后可看大图

ToolsCipherScan

See https://github.com/jvehent/cipherscan

Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It's an easy way to test a web server for available ciphers, PFS key size, elliptic curves, support for OCSP Stapling, TLS ticket lifetime and certificate trust.

[color=white !important][size=1em]?

$ m2 J. e$ x0 H  Q4 u& j

[size=1em]1 [size=1em]2 [size=1em]3 0 p+ ?$ L& ~" e; U [size=1em]4 ( V  _' r* q: D* m, F0 u! C [size=1em]5 [size=1em]6 9 v2 ~$ R% F0 @ [size=1em]7 " ~, G/ m5 n7 {2 D# {- v" U [size=1em]8 [size=1em]9 [size=1em]10 [size=1em]11 9 u) Q6 B$ Q! K7 W [size=1em]12 [size=1em]13 [size=1em]14 1 K2 N, }6 h+ K5 \ [size=1em]15 [size=1em]16 . ?; Q4 q* p2 Y% B5 v' e [size=1em]17 [size=1em]18 [size=1em]19 [size=1em]20 [size=1em]21 & E/ U7 X& {/ v+ O [size=1em]22 [size=1em]23 [size=1em]24 ! W0 X$ e6 h( Z) p; \0 Z4 J4 @5 Q7 s [size=1em]25 [size=1em]26 1 I; K$ Y! n: q" R/ W [size=1em]27 [size=1em]28 4 s3 {6 Q! D7 @- Y" z [size=1em]29 , u# `$ P. f0 W2 J1 K# u* t [size=1em]30 [size=1em]31 8 A7 Q2 O1 w4 }; y; r [size=1em]32 - l. Q5 u1 J# z9 F9 G! u

[size=1em][size=1em]$ ./cipherscan jve.linuxwall.info [size=1em].......................... [size=1em]prio  ciphersuite                  protocols              pfs_keysize $ U5 A8 z2 t- `7 g3 t1 }[size=1em]1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits [size=1em]2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits [size=1em]3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,4096bits [size=1em]4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,4096bits 0 X1 j  T% s/ V1 T- q  y[size=1em]5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits [size=1em]6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits , x) i% l4 b- A) u[size=1em]7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits [size=1em]8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits [size=1em]9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,4096bits [size=1em]10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits % J/ I( R5 _+ N/ W- |( \/ G[size=1em]11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,4096bits [size=1em]12    AES128-GCM-SHA256            TLSv1.2 [size=1em]13    AES256-GCM-SHA384            TLSv1.2 [size=1em]14    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits 8 I) \+ d0 O5 c1 t0 N  i[size=1em]15    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,4096bits [size=1em]16    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2 [size=1em]17    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits # p5 ^3 `" k/ f- x. \[size=1em]18    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits [size=1em]19    AES256-SHA256                TLSv1.2 [size=1em]20    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2 7 C' [: {5 v; O$ E" G[size=1em]21    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2 5 O, K3 f6 b1 e7 c& v[size=1em]22    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits [size=1em]23    AES128-SHA256                TLSv1.2 [size=1em]24    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2 7 d7 H; D3 e( r# z8 b! |[size=1em]25    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2 # B2 O9 s7 N. D# |9 o[size=1em]Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature & k) M$ D" W! d  F2 B[size=1em]TLS ticket lifetime hint: 300 , ?* h& D; H+ [[size=1em]OCSP stapling: supported ' s/ e/ d0 Y# q5 K

SSL Labs (Qualys)

Available here: https://www.ssllabs.com/ssltest/

Qualys SSL Labs provides a comprehensive SSL testing suite.

GlobalSign has a modified interface of SSL Labs that is interesting as well: https://sslcheck.globalsign.com/

Attacks on SSL and TLSBEAST (CVE-2011-3389)

Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a MITM attacker to recover plaintext values by encrypting the same message multiple times.

BEAST is mitigated in TLS1.1 and above.

more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack

LUCKY13

Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.

more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html

RC4 weaknesses

As of February 2015, the IETF explicitely prohibits the use of RC4: RFC 7465.

It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large number of times, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to remove RC4 from the list of trusted ciphers.

In a public discussion (bug 927045), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.

While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing RC4 with 3DES is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.

+ m7 U  ]5 f; i, Y! {6 A+ SThe root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.

more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

BREACH

This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).

In order to be successful, it requires to:

• Be served from a server that uses HTTP-level compression
• Reflect user-input in HTTP response bodies
• Reflect a secret (such as a CSRF token) in HTTP response bodies
  

more: http://breachattack.com/

POODLE (CVE-2014-3566)

POODLE is an attack on the padding used by SSLv3. It is a significant improvement of the BEAST attack which led the cryptography community to recommend disabling SSLv3 globally.

If you can arrange the message to be the correct length then the last block is 15 arbitrary bytes and the padding length (15). Then you arrange an interesting byte to be in the last position of a different block and duplicate that block to the end. If the record is accepted, then you know what the last byte contained because it decrypted to 15. Thus the attacker needs to be able to control some of the plaintext in order to align things in the messages and needs to be able to burn lots of connections (256 per byte, roughly). Thus a secret needs to be repeated in connection after connection (i.e. a cookie).

source: Adam Langley in https://bugzilla.mozilla.org/show_bug.cgi?id=1076983#c29

Daniel Stenberg (Mozilla, cUrl) has a good description of the exploitability of POODLE in http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/

Our guidelines maintain support for SSLv3 in the Old configuration only. This is required for clients on Windows XP service pack 1 & 2 that do not have support for TLSv1.0. Internet Explorer and Chrome on those platforms are impacted. Mozilla wants to be reachable from very old clients, to allow them to download a better browser. Therefore, we maintain SSLv3 compatibility on a limited number of sites. But all sites that do not need that level of compatibility are encouraged to implement the Intermediate configuration

Logjam attack on weak Diffie-Hellman

The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (<= 1024 bit) Diffie Hellman groups. Modern TLS must use DH parameters of 2048 bits and above, or only use ECDHE. The modern configuration in this guide provide configurations that are not impacted by this issue. The intermediate and old configurations are impacted, and administrators are encourage to use DH parameters of 2048 bits wherever possible.

more: https://weakdh.org

SPDY

(see also http://en.wikipedia.org/wiki/SPDY and http://www.chromium.org/spdy/spdy-protocol)

SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.

SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.

TLS tickets (RFC 5077)

Once a TLS handshake has been negociated between the server and the client, both may exchange a session ticket, which contains an AES-CBC 128bit key which can decrypt the session. This key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it's stored in a file and also kept upon restarts).

The current work-around is to disable RFC 5077 support.

more: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf

Cipher names correspondence table

IANA, OpenSSL and GnuTLS use different naming for the same ciphers. The table below matches these ciphers as well as their corresponding compatibility level.

Hex

Priority

IANA

GnuTLS

NSS

OpenSSL

0xC0,0x2F

1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHE-RSA-AES128-GCM-SHA256

0xC0,0x2B

2

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256ECDHE-ECDSA-AES128-GCM-SHA256

0xC0,0x30

3

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_AES_256_GCM_SHA384ECDHE-RSA-AES256-GCM-SHA384
1 j/ C7 A3 a* e. l: Z

0xC0,0x2C

4

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_AES_256_GCM_SHA384ECDHE-ECDSA-AES256-GCM-SHA384

0x00,0x9E

5

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256DHE-RSA-AES128-GCM-SHA256
- o7 p5 R3 ~5 d; D

0x00,0xA2

6

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_128_GCM_SHA256DHE-DSS-AES128-GCM-SHA256

0x00,0xA3

7

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_AES_256_GCM_SHA384DHE-DSS-AES256-GCM-SHA384

0x00,0x9F

8

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_AES_256_GCM_SHA384DHE-RSA-AES256-GCM-SHA384
* U: O8 V1 ?0 x( Y5 w

0xC0,0x27

9

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256ECDHE-RSA-AES128-SHA256
+ q# O5 {: H+ z5 t9 C

0xC0,0x23

10

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256ECDHE-ECDSA-AES128-SHA256
4 Q: C4 k/ z/ e+ Y% T- q1 X5 D

0xC0,0x13

11

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_AES_128_CBC_SHA1TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDHE-RSA-AES128-SHA
$ ^& s% _- q9 o

0xC0,0x09

12

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_AES_128_CBC_SHA1TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAECDHE-ECDSA-AES128-SHA

0xC0,0x28

13

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_AES_256_CBC_SHA384ECDHE-RSA-AES256-SHA384

0xC0,0x24

14

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_AES_256_CBC_SHA384ECDHE-ECDSA-AES256-SHA384

0xC0,0x14

15

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_AES_256_CBC_SHA1TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECDHE-RSA-AES256-SHA
8 \" u4 F5 \, @% G4 k

0xC0,0x0A

16

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_AES_256_CBC_SHA1TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAECDHE-ECDSA-AES256-SHA

0x00,0x67

17

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256DHE-RSA-AES128-SHA256
, @2 q7 n' u7 |; v1 f

0x00,0x33

18

TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_AES_128_CBC_SHA1TLS_DHE_RSA_WITH_AES_128_CBC_SHADHE-RSA-AES128-SHA
1 A8 Z# Q" {. U+ i8 c% |2 \) D% Q, N. {

0x00,0x40

19

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256DHE-DSS-AES128-SHA256
8 P! t  s) o9 N% u5 W5 K; c9 r

0x00,0x6B

20

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256DHE-RSA-AES256-SHA256

0x00,0x38

21

TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_AES_256_CBC_SHA1TLS_DHE_DSS_WITH_AES_256_CBC_SHADHE-DSS-AES256-SHA
: W, Y% t9 P0 s! f' p% r

0x00,0x39

22

TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_AES_256_CBC_SHA1TLS_DHE_RSA_WITH_AES_256_CBC_SHADHE-RSA-AES256-SHA

0xC0,0x12

23

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_RSA_3DES_EDE_CBC_SHA1TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAECDHE-RSA-DES-CBC3-SHA

0xC0,0x08

24

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAECDHE-ECDSA-DES-CBC3-SHA

0x00,0x16

25

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHATLS_DHE_RSA_3DES_EDE_CBC_SHA1TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
% }. R( e8 l5 P% Q0 c3 @  e# M

0x00,0x9C

26

TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256AES128-GCM-SHA256
! v& Z, g6 W) q9 y# ]0 `. z

0x00,0x9D

27

TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_AES_256_GCM_SHA384AES256-GCM-SHA384

0x00,0x3C

28

TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256AES128-SHA256

0x00,0x3D

29

TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256AES256-SHA256
: a# l) J4 X% A, {4 |( A

0x00,0x2F

30

TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_AES_128_CBC_SHA1TLS_RSA_WITH_AES_128_CBC_SHAAES128-SHA
/ |) n7 v& w+ k* O+ T4 X( p% F  N

0x00,0x35

31

TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_AES_256_CBC_SHA1TLS_RSA_WITH_AES_256_CBC_SHAAES256-SHA
: I( h, ~/ S. X$ ~( l+ O1 s  W: C

0x00,0x6A

32

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256DHE-DSS-AES256-SHA256
) V4 K6 e. A, H' Q4 _" Y

0x00,0x32

33

TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_DHE_DSS_AES_128_CBC_SHA1TLS_DHE_DSS_WITH_AES_128_CBC_SHADHE-DSS-AES128-SHA
/ a3 c2 K7 ?( i- Y5 s# {  b

0x00,0x0A

34

TLS_RSA_WITH_3DES_EDE_CBC_SHATLS_RSA_3DES_EDE_CBC_SHA1TLS_RSA_WITH_3DES_EDE_CBC_SHA
7 g0 f# j- z4 e& q

0x00,0x88

35

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DHE_RSA_CAMELLIA_256_CBC_SHA1TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHADHE-RSA-CAMELLIA256-SHA
" o& e0 z6 J: I, l) Q% y) @

0x00,0x87

36

TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHATLS_DHE_DSS_CAMELLIA_256_CBC_SHA1TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHADHE-DSS-CAMELLIA256-SHA

0x00,0x84

37

TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS_RSA_CAMELLIA_256_CBC_SHA1TLS_RSA_WITH_CAMELLIA_256_CBC_SHACAMELLIA256-SHA
, |! f! t5 z* a% Q% x6 p

0x00,0x45

38

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DHE_RSA_CAMELLIA_128_CBC_SHA1TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHADHE-RSA-CAMELLIA128-SHA

0x00,0x44

39

TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHATLS_DHE_DSS_CAMELLIA_128_CBC_SHA1TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHADHE-DSS-CAMELLIA128-SHA
" o, _& \- ]  q' m2 C! T5 L

0x00,0x41

40

TLS_RSA_WITH_CAMELLIA_128_CBC_SHATLS_RSA_CAMELLIA_128_CBC_SHA1TLS_RSA_WITH_CAMELLIA_128_CBC_SHACAMELLIA128-SHA
; R+ e* C4 m! n7 d0 ]& Z% O

0x00,0x9A

41

TLS_DHE_RSA_WITH_SEED_CBC_SHADHE-RSA-SEED-SHA

0x00,0x99

42

TLS_DHE_DSS_WITH_SEED_CBC_SHADHE-DSS-SEED-SHA

0x00,0x96

43

TLS_RSA_WITH_SEED_CBC_SHATLS_RSA_WITH_SEED_CBC_SHASEED-SHA

0x00,0x00

TLS_NULL_WITH_NULL_NULLTLS_NULL_WITH_NULL_NULL
3 z+ Y4 `3 _2 n6 l$ ]. T, F+ V

0x00,0x01

TLS_RSA_WITH_NULL_MD5TLS_RSA_NULL_MD5TLS_RSA_WITH_NULL_MD5

0x00,0x02

TLS_RSA_WITH_NULL_SHATLS_RSA_NULL_SHA1TLS_RSA_WITH_NULL_SHA
( s6 u1 D9 p  W5 A# {

0x00,0x03

TLS_RSA_EXPORT_WITH_RC4_40_MD5TLS_RSA_EXPORT_WITH_RC4_40_MD5
2 }# J1 A" s3 c7 P6 @6 n9 S

0x00,0x04

TLS_RSA_WITH_RC4_128_MD5TLS_RSA_ARCFOUR_128_MD5TLS_RSA_WITH_RC4_128_MD5

0x00,0x05

TLS_RSA_WITH_RC4_128_SHATLS_RSA_ARCFOUR_128_SHA1TLS_RSA_WITH_RC4_128_SHA

0x00,0x06

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
6 R4 Z' o' K6 B' r

0x00,0x07

TLS_RSA_WITH_IDEA_CBC_SHATLS_RSA_WITH_IDEA_CBC_SHA
6 U5 E; c$ |& m2 T$ o

0x00,0x08

TLS_RSA_EXPORT_WITH_DES40_CBC_SHATLS_RSA_EXPORT_WITH_DES40_CBC_SHA

0x00,0x09

TLS_RSA_WITH_DES_CBC_SHATLS_RSA_WITH_DES_CBC_SHA
6 P% S8 e3 B( d1 j) Q7 Q+ S0 v% C

0x00,0x0B

TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHATLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA

0x00,0x0C

TLS_DH_DSS_WITH_DES_CBC_SHATLS_DH_DSS_WITH_DES_CBC_SHA

0x00,0x0D

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
( k7 j, n0 U) r1 s" P) F

0x00,0x0E

TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHATLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
) y4 u. D/ _# P% b

0x00,0x0F

TLS_DH_RSA_WITH_DES_CBC_SHATLS_DH_RSA_WITH_DES_CBC_SHA

0x00,0x10

TLS_DH_RSA_WITH_3DES_EDE_CBC_SHATLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
, n) A- S0 t% X, x

0x00,0x11

TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHATLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
' ~8 U. D% v! z. g0 a

0x00,0x12

TLS_DHE_DSS_WITH_DES_CBC_SHATLS_DHE_DSS_WITH_DES_CBC_SHA

0x00,0x13

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_DHE_DSS_3DES_EDE_CBC_SHA1TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
7 w/ Q! C3 i& M  }( B

0x00,0x14

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHATLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
& l" {$ [" U3 d) T1 |+ M

0x00,0x15

TLS_DHE_RSA_WITH_DES_CBC_SHATLS_DHE_RSA_WITH_DES_CBC_SHA

0x00,0x17

TLS_DH_anon_EXPORT_WITH_RC4_40_MD5TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
: v* R9 u: N0 Y) o, I' q

0x00,0x18

TLS_DH_anon_WITH_RC4_128_MD5TLS_DH_ANON_ARCFOUR_128_MD5TLS_DH_anon_WITH_RC4_128_MD5

0x00,0x19

TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHATLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA

0x00,0x1A

TLS_DH_anon_WITH_DES_CBC_SHATLS_DH_anon_WITH_DES_CBC_SHA
( V# y& i# ]  z! C

0x00,0x1B

TLS_DH_anon_WITH_3DES_EDE_CBC_SHATLS_DH_ANON_3DES_EDE_CBC_SHA1TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

0x00,0x1E

TLS_KRB5_WITH_DES_CBC_SHA
( B! L; W# x/ F

0x00,0x1F

TLS_KRB5_WITH_3DES_EDE_CBC_SHA

0x00,0x20

TLS_KRB5_WITH_RC4_128_SHA
, H2 r' P0 p4 K% B# V8 c

0x00,0x21

TLS_KRB5_WITH_IDEA_CBC_SHA
# N) t( b9 O) I! G6 s& g1 i& B8 d

0x00,0x22

TLS_KRB5_WITH_DES_CBC_MD5

0x00,0x23

TLS_KRB5_WITH_3DES_EDE_CBC_MD5
& f1 |& |( E* U8 ^

0x00,0x24

TLS_KRB5_WITH_RC4_128_MD5

0x00,0x25

TLS_KRB5_WITH_IDEA_CBC_MD5
8 y( ?* d  o3 H, i7 s7 k3 Z2 j

0x00,0x26

TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
& K' K9 }% q+ f  c; J

0x00,0x27

TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
2 r7 n) x! S2 M2 p% L) G: j3 {  q) k

0x00,0x28

TLS_KRB5_EXPORT_WITH_RC4_40_SHA
5 N/ i9 x' b& ]% z

0x00,0x29

TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

0x00,0x2A

TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5

0x00,0x2B

TLS_KRB5_EXPORT_WITH_RC4_40_MD5
( e  r& j" a0 x

0x00,0x2C

TLS_PSK_WITH_NULL_SHATLS_PSK_NULL_SHA1PSK-NULL-SHA
! ?# \8 Y. K) e% S7 t

0x00,0x2D

TLS_DHE_PSK_WITH_NULL_SHATLS_DHE_PSK_NULL_SHA1DHE-PSK-NULL-SHA

0x00,0x2E

TLS_RSA_PSK_WITH_NULL_SHATLS_RSA_PSK_NULL_SHA1RSA-PSK-NULL-SHA
0 T- b( Q, [8 Q, N7 v" z

0x00,0x30

TLS_DH_DSS_WITH_AES_128_CBC_SHATLS_DH_DSS_WITH_AES_128_CBC_SHADH-DSS-AES128-SHA
# v: u. M% ^  y2 c  a

0x00,0x31

TLS_DH_RSA_WITH_AES_128_CBC_SHATLS_DH_RSA_WITH_AES_128_CBC_SHADH-RSA-AES128-SHA

0x00,0x34

TLS_DH_anon_WITH_AES_128_CBC_SHATLS_DH_ANON_AES_128_CBC_SHA1TLS_DH_anon_WITH_AES_128_CBC_SHAADH-AES128-SHA
. w, k/ q4 n: v) L

0x00,0x36

TLS_DH_DSS_WITH_AES_256_CBC_SHATLS_DH_DSS_WITH_AES_256_CBC_SHADH-DSS-AES256-SHA
* z( f/ }0 A1 N( U

0x00,0x37

TLS_DH_RSA_WITH_AES_256_CBC_SHATLS_DH_RSA_WITH_AES_256_CBC_SHADH-RSA-AES256-SHA

0x00,0x3A

TLS_DH_anon_WITH_AES_256_CBC_SHATLS_DH_ANON_AES_256_CBC_SHA1TLS_DH_anon_WITH_AES_256_CBC_SHAADH-AES256-SHA

0x00,0x3B

TLS_RSA_WITH_NULL_SHA256TLS_RSA_NULL_SHA256TLS_RSA_WITH_NULL_SHA256NULL-SHA256
4 {- E$ I5 y1 e1 j- I( i! M% N5 g

0x00,0x3E

TLS_DH_DSS_WITH_AES_128_CBC_SHA256DH-DSS-AES128-SHA256

0x00,0x3F

TLS_DH_RSA_WITH_AES_128_CBC_SHA256DH-RSA-AES128-SHA256
5 q) {  s( k7 D

0x00,0x42

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHATLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHADH-DSS-CAMELLIA128-SHA
! O' C6 T8 i7 B1 a, B6 A

0x00,0x43

TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHATLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHADH-RSA-CAMELLIA128-SHA

0x00,0x46

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHATLS_DH_ANON_CAMELLIA_128_CBC_SHA1TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHAADH-CAMELLIA128-SHA
3 @4 a; S# t4 X5 a9 C6 a3 o  P

0x00,0x68

TLS_DH_DSS_WITH_AES_256_CBC_SHA256DH-DSS-AES256-SHA256
4 \- {, M7 x& o$ d+ t! U

0x00,0x69

TLS_DH_RSA_WITH_AES_256_CBC_SHA256DH-RSA-AES256-SHA256

0x00,0x6C

TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_ANON_AES_128_CBC_SHA256ADH-AES128-SHA256
  G" Z( H" w$ T3 S# O' O

0x00,0x6D

TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_DH_ANON_AES_256_CBC_SHA256ADH-AES256-SHA256

0x00,0x85

TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHATLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHADH-DSS-CAMELLIA256-SHA

0x00,0x86

TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHATLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHADH-RSA-CAMELLIA256-SHA
. t$ A. D' B) G8 c; Y! S1 p! b; t  j

0x00,0x89

TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHATLS_DH_ANON_CAMELLIA_256_CBC_SHA1TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHAADH-CAMELLIA256-SHA

0x00,0x8A

TLS_PSK_WITH_RC4_128_SHATLS_PSK_ARCFOUR_128_SHA1PSK-RC4-SHA
: P/ _& r. O+ b- T* L6 I1 A

0x00,0x8B

TLS_PSK_WITH_3DES_EDE_CBC_SHATLS_PSK_3DES_EDE_CBC_SHA1PSK-3DES-EDE-CBC-SHA
* Z1 X( Y& l/ y$ q! O

0x00,0x8C

TLS_PSK_WITH_AES_128_CBC_SHATLS_PSK_AES_128_CBC_SHA1PSK-AES128-CBC-SHA
7 L( X' Z. b2 \( ^0 P+ E0 ~: I

0x00,0x8D

TLS_PSK_WITH_AES_256_CBC_SHATLS_PSK_AES_256_CBC_SHA1PSK-AES256-CBC-SHA

0x00,0x8E

TLS_DHE_PSK_WITH_RC4_128_SHATLS_DHE_PSK_ARCFOUR_128_SHA1DHE-PSK-RC4-SHA
7 s9 H# v+ M5 {! z

0x00,0x8F

TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DHE_PSK_3DES_EDE_CBC_SHA1DHE-PSK-3DES-EDE-CBC-SHA

0x00,0x90

TLS_DHE_PSK_WITH_AES_128_CBC_SHATLS_DHE_PSK_AES_128_CBC_SHA1DHE-PSK-AES128-CBC-SHA

0x00,0x91

TLS_DHE_PSK_WITH_AES_256_CBC_SHATLS_DHE_PSK_AES_256_CBC_SHA1DHE-PSK-AES256-CBC-SHA

0x00,0x92

TLS_RSA_PSK_WITH_RC4_128_SHATLS_RSA_PSK_ARCFOUR_128_SHA1RSA-PSK-RC4-SHA

0x00,0x93

TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHATLS_RSA_PSK_3DES_EDE_CBC_SHA1RSA-PSK-3DES-EDE-CBC-SHA

0x00,0x94

TLS_RSA_PSK_WITH_AES_128_CBC_SHATLS_RSA_PSK_AES_128_CBC_SHA1RSA-PSK-AES128-CBC-SHA

0x00,0x95

TLS_RSA_PSK_WITH_AES_256_CBC_SHATLS_RSA_PSK_AES_256_CBC_SHA1RSA-PSK-AES256-CBC-SHA

0x00,0x97

TLS_DH_DSS_WITH_SEED_CBC_SHADH-DSS-SEED-SHA
6 n; V& [9 s  i

0x00,0x98

TLS_DH_RSA_WITH_SEED_CBC_SHADH-RSA-SEED-SHA
, o/ W: r/ |$ h3 j

0x00,0x9B

TLS_DH_anon_WITH_SEED_CBC_SHAADH-SEED-SHA
- A9 \/ ~3 W6 D2 `3 a: {  L1 r

0x00,0xA0

TLS_DH_RSA_WITH_AES_128_GCM_SHA256DH-RSA-AES128-GCM-SHA256

0x00,0xA1

TLS_DH_RSA_WITH_AES_256_GCM_SHA384DH-RSA-AES256-GCM-SHA384
2 U7 L- r/ Z" N" q2 q+ F% h

0x00,0xA4

TLS_DH_DSS_WITH_AES_128_GCM_SHA256DH-DSS-AES128-GCM-SHA256
: e: P# v, l8 o  |6 W

0x00,0xA5

TLS_DH_DSS_WITH_AES_256_GCM_SHA384DH-DSS-AES256-GCM-SHA384

0x00,0xA6

TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_ANON_AES_128_GCM_SHA256ADH-AES128-GCM-SHA256

0x00,0xA7

TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_DH_ANON_AES_256_GCM_SHA384ADH-AES256-GCM-SHA384
! L( f: w- }, W9 {4 I7 v% Y

0x00,0xA8

TLS_PSK_WITH_AES_128_GCM_SHA256TLS_PSK_AES_128_GCM_SHA256PSK-AES128-GCM-SHA256
! U. D3 y# e4 U. C0 U$ V

0x00,0xA9

TLS_PSK_WITH_AES_256_GCM_SHA384TLS_PSK_AES_256_GCM_SHA384PSK-AES256-GCM-SHA384

0x00,0xAA

TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_AES_128_GCM_SHA256DHE-PSK-AES128-GCM-SHA256
; m" j4 r3 M- _5 R8 D

0x00,0xAB

TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_AES_256_GCM_SHA384DHE-PSK-AES256-GCM-SHA384

0x00,0xAC

TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_AES_128_GCM_SHA256RSA-PSK-AES128-GCM-SHA256

0x00,0xAD

TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_AES_256_GCM_SHA384RSA-PSK-AES256-GCM-SHA384
, B& V" b& P9 n) H

0x00,0xAE

TLS_PSK_WITH_AES_128_CBC_SHA256TLS_PSK_AES_128_CBC_SHA256PSK-AES128-CBC-SHA256
. X( w  d- d4 C% Y, I* `( N

0x00,0xAF

TLS_PSK_WITH_AES_256_CBC_SHA384TLS_PSK_AES_256_CBC_SHA384PSK-AES256-CBC-SHA384

0x00,0xB0

TLS_PSK_WITH_NULL_SHA256TLS_PSK_NULL_SHA256PSK-NULL-SHA256
: X5 f0 ?/ w) I, k

0x00,0xB1

TLS_PSK_WITH_NULL_SHA384TLS_PSK_NULL_SHA384PSK-NULL-SHA384
3 a3 c1 _/ j9 ^

0x00,0xB2

TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_AES_128_CBC_SHA256DHE-PSK-AES128-CBC-SHA256

0x00,0xB3

TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_DHE_PSK_AES_256_CBC_SHA384DHE-PSK-AES256-CBC-SHA384
$ Z% P# ~* J7 m6 N5 l# m4 j0 {0 u

0x00,0xB4

TLS_DHE_PSK_WITH_NULL_SHA256TLS_DHE_PSK_NULL_SHA256DHE-PSK-NULL-SHA256

0x00,0xB5

TLS_DHE_PSK_WITH_NULL_SHA384TLS_DHE_PSK_NULL_SHA384DHE-PSK-NULL-SHA384
. n4 h/ Z. A$ O- I1 f

0x00,0xB6

TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_AES_128_CBC_SHA256RSA-PSK-AES128-CBC-SHA256

0x00,0xB7

TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_AES_256_CBC_SHA384RSA-PSK-AES256-CBC-SHA384
. d- [: f* q* }& N

0x00,0xB8

TLS_RSA_PSK_WITH_NULL_SHA256TLS_RSA_PSK_NULL_SHA256RSA-PSK-NULL-SHA256

0x00,0xB9

TLS_RSA_PSK_WITH_NULL_SHA384TLS_RSA_PSK_NULL_SHA384RSA-PSK-NULL-SHA384
9 Y8 {3 r; @2 b/ G9 V7 f

0x00,0xBA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_RSA_CAMELLIA_128_CBC_SHA256CAMELLIA128-SHA256
$ Y- i- H0 i1 ?4 I* X# X

0x00,0xBB

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256DH-DSS-CAMELLIA128-SHA256
( q+ I# p# O9 q8 M+ W: s- O9 g

0x00,0xBC

TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256DH-RSA-CAMELLIA128-SHA256
" ^: |3 N, _3 o9 O

0x00,0xBD

TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256DHE-DSS-CAMELLIA128-SHA256

0x00,0xBE

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256DHE-RSA-CAMELLIA128-SHA256

0x00,0xBF

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256TLS_DH_ANON_CAMELLIA_128_CBC_SHA256ADH-CAMELLIA128-SHA256

0x00,0xC0

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_RSA_CAMELLIA_256_CBC_SHA256CAMELLIA256-SHA256
* G9 u- j  h- R$ Z! j3 l. D" k! t

0x00,0xC1

TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256DH-DSS-CAMELLIA256-SHA256

0x00,0xC2

TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256DH-RSA-CAMELLIA256-SHA256

0x00,0xC3

TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256DHE-DSS-CAMELLIA256-SHA256

0x00,0xC4

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256DHE-RSA-CAMELLIA256-SHA256
3 m' {0 P# {1 u) S! z* B

0x00,0xC5

TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256TLS_DH_ANON_CAMELLIA_256_CBC_SHA256ADH-CAMELLIA256-SHA256

0x00,0xFF

TLS_EMPTY_RENEGOTIATION_INFO_SCSVTLS_EMPTY_RENEGOTIATION_INFO_SCSV

0x56,0x00

TLS_FALLBACK_SCSVTLS_FALLBACK_SCSV
2 G' u4 R$ S. [+ [9 \

0xC0,0x01

TLS_ECDH_ECDSA_WITH_NULL_SHATLS_ECDH_ECDSA_WITH_NULL_SHAECDH-ECDSA-NULL-SHA
( d/ p# n7 d. `) }/ |

0xC0,0x02

TLS_ECDH_ECDSA_WITH_RC4_128_SHATLS_ECDH_ECDSA_WITH_RC4_128_SHAECDH-ECDSA-RC4-SHA
# g  y; o" s9 L4 d

0xC0,0x03

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHAECDH-ECDSA-DES-CBC3-SHA
2 o5 u' R. i6 t& x  c8 f6 N

0xC0,0x04

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHAECDH-ECDSA-AES128-SHA
+ q2 f) u/ Y( }- w

0xC0,0x05

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHAECDH-ECDSA-AES256-SHA

0xC0,0x06

TLS_ECDHE_ECDSA_WITH_NULL_SHATLS_ECDHE_ECDSA_NULL_SHA1TLS_ECDHE_ECDSA_WITH_NULL_SHAECDHE-ECDSA-NULL-SHA
% }) M3 S- R1 f6 c9 P# y/ z

0xC0,0x07

TLS_ECDHE_ECDSA_WITH_RC4_128_SHATLS_ECDHE_ECDSA_ARCFOUR_128_SHA1TLS_ECDHE_ECDSA_WITH_RC4_128_SHAECDHE-ECDSA-RC4-SHA
8 C% i5 \. M5 ]# k0 ?, m4 `1 N

0xC0,0x0B

TLS_ECDH_RSA_WITH_NULL_SHATLS_ECDH_RSA_WITH_NULL_SHAECDH-RSA-NULL-SHA
( K2 O+ Z! Q; H( Y

0xC0,0x0C

TLS_ECDH_RSA_WITH_RC4_128_SHATLS_ECDH_RSA_WITH_RC4_128_SHAECDH-RSA-RC4-SHA
9 z) P# m8 c$ y/ H8 L

0xC0,0x0D

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHAECDH-RSA-DES-CBC3-SHA
1 ], V4 ]. D4 B( j! ~+ B0 y

0xC0,0x0E

TLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHAECDH-RSA-AES128-SHA
( P# |7 H# {7 d1 V" E4 X4 I) K

0xC0,0x0F

TLS_ECDH_RSA_WITH_AES_256_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHAECDH-RSA-AES256-SHA
- c: B" S; g8 [

0xC0,0x10

TLS_ECDHE_RSA_WITH_NULL_SHATLS_ECDHE_RSA_NULL_SHA1TLS_ECDHE_RSA_WITH_NULL_SHAECDHE-RSA-NULL-SHA
$ t/ S) l. S+ u) j: }9 Z. \# ]

0xC0,0x11

TLS_ECDHE_RSA_WITH_RC4_128_SHATLS_ECDHE_RSA_ARCFOUR_128_SHA1TLS_ECDHE_RSA_WITH_RC4_128_SHAECDHE-RSA-RC4-SHA

0xC0,0x15

TLS_ECDH_anon_WITH_NULL_SHATLS_ECDH_ANON_NULL_SHA1TLS_ECDH_anon_WITH_NULL_SHAAECDH-NULL-SHA
1 W- E0 i& n& u; {( {

0xC0,0x16

TLS_ECDH_anon_WITH_RC4_128_SHATLS_ECDH_ANON_ARCFOUR_128_SHA1TLS_ECDH_anon_WITH_RC4_128_SHAAECDH-RC4-SHA

0xC0,0x17

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDH_ANON_3DES_EDE_CBC_SHA1TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHAAECDH-DES-CBC3-SHA
) N2 J/ E2 ]! J5 V: X

0xC0,0x18

TLS_ECDH_anon_WITH_AES_128_CBC_SHATLS_ECDH_ANON_AES_128_CBC_SHA1TLS_ECDH_anon_WITH_AES_128_CBC_SHAAECDH-AES128-SHA

0xC0,0x19

TLS_ECDH_anon_WITH_AES_256_CBC_SHATLS_ECDH_ANON_AES_256_CBC_SHA1TLS_ECDH_anon_WITH_AES_256_CBC_SHAAECDH-AES256-SHA
3 \9 W/ P* s& r

0xC0,0x1A

TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_3DES_EDE_CBC_SHA1SRP-3DES-EDE-CBC-SHA
: ]/ t, K/ {' c1 P

0xC0,0x1B

TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1SRP-RSA-3DES-EDE-CBC-SHA
% I* M8 [# Z4 B

0xC0,0x1C

TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHATLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1SRP-DSS-3DES-EDE-CBC-SHA
- n6 H, c( B+ E0 G) C

0xC0,0x1D

TLS_SRP_SHA_WITH_AES_128_CBC_SHATLS_SRP_SHA_AES_128_CBC_SHA1SRP-AES-128-CBC-SHA

0xC0,0x1E

TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHATLS_SRP_SHA_RSA_AES_128_CBC_SHA1SRP-RSA-AES-128-CBC-SHA
) {9 \- g( T6 r# K) d* l

0xC0,0x1F

TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHATLS_SRP_SHA_DSS_AES_128_CBC_SHA1SRP-DSS-AES-128-CBC-SHA
4 k; _4 Y0 G5 v8 v+ V& N) a/ Q7 M

0xC0,0x20

TLS_SRP_SHA_WITH_AES_256_CBC_SHATLS_SRP_SHA_AES_256_CBC_SHA1SRP-AES-256-CBC-SHA
& J% j3 a% N" J8 v" q

0xC0,0x21

TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHATLS_SRP_SHA_RSA_AES_256_CBC_SHA1SRP-RSA-AES-256-CBC-SHA

0xC0,0x22

TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHATLS_SRP_SHA_DSS_AES_256_CBC_SHA1SRP-DSS-AES-256-CBC-SHA
0 u0 ]; K( Z* F& _

0xC0,0x25

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
: s' [8 z/ |3 b$ u3 P

0xC0,0x26

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384

0xC0,0x29

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256ECDH-RSA-AES128-SHA256
( ~3 C8 s( k5 A: o5 h- X  u4 k

0xC0,0x2A

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384ECDH-RSA-AES256-SHA384
5 [& L" L8 A6 |: _) q* D" g/ h

0xC0,0x2D

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
; U' R/ x4 g: k4 [7 W  \

0xC0,0x2E

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384
, O0 M: p( O/ t; T  n3 I

0xC0,0x31

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256ECDH-RSA-AES128-GCM-SHA256
6 b! y& V! @' Y! N: ?! i8 J

0xC0,0x32

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384ECDH-RSA-AES256-GCM-SHA384

0xC0,0x33

TLS_ECDHE_PSK_WITH_RC4_128_SHATLS_ECDHE_PSK_ARCFOUR_128_SHA1ECDHE-PSK-RC4-SHA
1 R$ U" x: \; l9 @' a" X4 a

0xC0,0x34

TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_3DES_EDE_CBC_SHA1ECDHE-PSK-3DES-EDE-CBC-SHA
3 Q" ~) N5 D4 ]1 B8 [

0xC0,0x35

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHATLS_ECDHE_PSK_AES_128_CBC_SHA1ECDHE-PSK-AES128-CBC-SHA
* C0 x/ @2 {! M# r* ^! h

0xC0,0x36

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHATLS_ECDHE_PSK_AES_256_CBC_SHA1ECDHE-PSK-AES256-CBC-SHA
3 S- R" s/ A5 Y+ q$ g% O

0xC0,0x37

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256TLS_ECDHE_PSK_AES_128_CBC_SHA256ECDHE-PSK-AES128-CBC-SHA256

0xC0,0x38

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384TLS_ECDHE_PSK_AES_256_CBC_SHA384ECDHE-PSK-AES256-CBC-SHA384
2 K/ q% G  n+ v$ d+ c0 n! c+ X! K

0xC0,0x39

TLS_ECDHE_PSK_WITH_NULL_SHATLS_ECDHE_PSK_NULL_SHA1ECDHE-PSK-NULL-SHA

0xC0,0x3A

TLS_ECDHE_PSK_WITH_NULL_SHA256TLS_ECDHE_PSK_NULL_SHA256ECDHE-PSK-NULL-SHA256

0xC0,0x3B

TLS_ECDHE_PSK_WITH_NULL_SHA384TLS_ECDHE_PSK_NULL_SHA384ECDHE-PSK-NULL-SHA384
3 ^3 @% c; {/ l6 v, b2 i

0xC0,0x3C

TLS_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x3D

TLS_RSA_WITH_ARIA_256_CBC_SHA384
  V) {4 l2 t- S3 d2 R

0xC0,0x3E

TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256
( a. Z$ s2 u! N, {) O5 N: K

0xC0,0x3F

TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384
, S) z! C8 e) J. A  |$ f6 h  X

0xC0,0x40

TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x41

TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384
4 ~, p2 t- o4 X

0xC0,0x42

TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256
/ H5 L3 B) K$ u

0xC0,0x43

TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384
6 M% ^- n' @) A' c' O; e5 ]+ u

0xC0,0x44

TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x45

TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
8 s- L* e# z1 E* [: J0 N

0xC0,0x46

TLS_DH_anon_WITH_ARIA_128_CBC_SHA256
- z' p6 F6 N$ K% ?

0xC0,0x47

TLS_DH_anon_WITH_ARIA_256_CBC_SHA384

0xC0,0x48

TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
5 }4 ^+ E1 D, r( y$ o, d! d

0xC0,0x49

TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x4A

TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
# ^$ p  ~/ B% S9 \# `& m

0xC0,0x4B

TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x4C

TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256

0xC0,0x4D

TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
4 n) s' ^3 `4 q1 O

0xC0,0x4E

TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
# k) n' F3 J0 c

0xC0,0x4F

TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384

0xC0,0x50

TLS_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x51

TLS_RSA_WITH_ARIA_256_GCM_SHA384
. o1 `6 Y( f7 c; L3 f/ o' [

0xC0,0x52

TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
7 }6 E+ L$ g. W3 o+ [

0xC0,0x53

TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
& E; J- B/ o4 |4 w" T6 F; q

0xC0,0x54

TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x55

TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384
% t8 ^. d/ v- ^) X! R  Y5 ]/ U

0xC0,0x56

TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256
2 _. y( y; H8 c, \$ h

0xC0,0x57

TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384

0xC0,0x58

TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256

0xC0,0x59

TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384

0xC0,0x5A

TLS_DH_anon_WITH_ARIA_128_GCM_SHA256
4 d8 d& W, x( h0 J& Q

0xC0,0x5B

TLS_DH_anon_WITH_ARIA_256_GCM_SHA384

0xC0,0x5C

TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x5D

TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
1 J3 x. R; Z" p% T$ p, V

0xC0,0x5E

TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x5F

TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x60

TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

0xC0,0x61

TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x62

TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
; z2 c* T1 J9 N

0xC0,0x63

TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384

0xC0,0x64

TLS_PSK_WITH_ARIA_128_CBC_SHA256

0xC0,0x65

TLS_PSK_WITH_ARIA_256_CBC_SHA384
  w; r( O% v& x8 h" i& K

0xC0,0x66

TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256

0xC0,0x67

TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384

0xC0,0x68

TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
5 n1 @# m" \, j9 x3 c. O

0xC0,0x69

TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384

0xC0,0x6A

TLS_PSK_WITH_ARIA_128_GCM_SHA256

0xC0,0x6B

TLS_PSK_WITH_ARIA_256_GCM_SHA384
" s* I5 a$ q& s* F) c

0xC0,0x6C

TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256

0xC0,0x6D

TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384

0xC0,0x6E

TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
- W8 t. {7 Y2 l: B

0xC0,0x6F

TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
9 F1 Y" S( f* F9 W5 R

0xC0,0x70

TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
- W) n) x) M3 r! H; d

0xC0,0x71

TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
. @5 [) f3 C& T

0xC0,0x72

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256ECDHE-ECDSA-CAMELLIA128-SHA256

0xC0,0x73

TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384ECDHE-ECDSA-CAMELLIA256-SHA384
$ S* J9 A/ }5 t2 Y6 X3 T

0xC0,0x74

TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256ECDH-ECDSA-CAMELLIA128-SHA256

0xC0,0x75

TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384ECDH-ECDSA-CAMELLIA256-SHA384

0xC0,0x76

TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256ECDHE-RSA-CAMELLIA128-SHA256
1 b5 B0 [8 W. |+ O6 B& @

0xC0,0x77

TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384ECDHE-RSA-CAMELLIA256-SHA384
( W! ~$ M( ^# A  p

0xC0,0x78

TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256ECDH-RSA-CAMELLIA128-SHA256

0xC0,0x79

TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384ECDH-RSA-CAMELLIA256-SHA384
/ R8 L( e! X6 B" U" N* g- f

0xC0,0x7A

TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_RSA_CAMELLIA_128_GCM_SHA256
) \* [0 N& m! A# o, `- B$ r

0xC0,0x7B

TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_RSA_CAMELLIA_256_GCM_SHA384
, C" @. K1 J) B7 _( r

0xC0,0x7C

TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256
1 g: U  T8 ~8 @8 L8 U

0xC0,0x7D

TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384

0xC0,0x7E

TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256
; q  w3 H/ [# F1 u$ N3 n' |3 }5 M, ^8 t

0xC0,0x7F

TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x80

TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256

0xC0,0x81

TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384
* _6 @2 {" Q+ t8 v5 Y7 A2 }3 X

0xC0,0x82

TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x83

TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384

0xC0,0x84

TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256TLS_DH_ANON_CAMELLIA_128_GCM_SHA256
; m! g8 C( f$ [7 e. a; I. l  Q

0xC0,0x85

TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384TLS_DH_ANON_CAMELLIA_256_GCM_SHA384

0xC0,0x86

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256

0xC0,0x87

TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384

0xC0,0x88

TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x89

TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
. R" g6 ]. P5 N5 Z) t( n  c

0xC0,0x8A

TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256
3 S& G- V; K' c

0xC0,0x8B

TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384
# X5 {2 ?! m! Z* N* ^. T

0xC0,0x8C

TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256

0xC0,0x8D

TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
2 s  A* ], m, O9 ?$ z

0xC0,0x8E

TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_PSK_CAMELLIA_128_GCM_SHA256
% |$ M( e* u- u) T

0xC0,0x8F

TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_PSK_CAMELLIA_256_GCM_SHA384

0xC0,0x90

TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256

0xC0,0x91

TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384
+ y% d; \9 J+ g; k

0xC0,0x92

TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256
1 h( x, ^8 I3 a

0xC0,0x93

TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384
2 Y) l4 t: c4 u) n5 {4 J

0xC0,0x94

TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_PSK_CAMELLIA_128_CBC_SHA256PSK-CAMELLIA128-SHA256

0xC0,0x95

TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_PSK_CAMELLIA_256_CBC_SHA384PSK-CAMELLIA256-SHA384
$ S  G$ c" Y* m" n0 N

0xC0,0x96

TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256DHE-PSK-CAMELLIA128-SHA256

0xC0,0x97

TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384DHE-PSK-CAMELLIA256-SHA384
# V& f  {; S0 p3 v& Q

0xC0,0x98

TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256RSA-PSK-CAMELLIA128-SHA256
' F' r, S. O5 B6 l

0xC0,0x99

TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384RSA-PSK-CAMELLIA256-SHA384
2 l5 r8 f# k, F( m7 O

0xC0,0x9A

TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256ECDHE-PSK-CAMELLIA128-SHA256
+ p/ E" P$ ~$ o& B6 _8 K; C7 n) J

0xC0,0x9B

TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384ECDHE-PSK-CAMELLIA256-SHA384

0xC0,0x9C

TLS_RSA_WITH_AES_128_CCMTLS_RSA_AES_128_CCMAES128-CCM
& o0 D0 m) Q: F

0xC0,0x9D

TLS_RSA_WITH_AES_256_CCMTLS_RSA_AES_256_CCMAES256-CCM
. s& e' Q4 d4 v0 f

0xC0,0x9E

TLS_DHE_RSA_WITH_AES_128_CCMTLS_DHE_RSA_AES_128_CCMDHE-RSA-AES128-CCM

0xC0,0x9F

TLS_DHE_RSA_WITH_AES_256_CCMTLS_DHE_RSA_AES_256_CCMDHE-RSA-AES256-CCM
5 z+ C* [) j8 F* D1 \

0xC0,0xA0

TLS_RSA_WITH_AES_128_CCM_8TLS_RSA_AES_128_CCM_8AES128-CCM8
) I  ~! D" C9 K3 b9 [

0xC0,0xA1

TLS_RSA_WITH_AES_256_CCM_8TLS_RSA_AES_256_CCM_8AES256-CCM8
3 R2 Z0 F$ V" q+ J8 [; I6 t' B

0xC0,0xA2

TLS_DHE_RSA_WITH_AES_128_CCM_8TLS_DHE_RSA_AES_128_CCM_8DHE-RSA-AES128-CCM8
! ?" H& T7 m  C/ C

0xC0,0xA3

TLS_DHE_RSA_WITH_AES_256_CCM_8TLS_DHE_RSA_AES_256_CCM_8DHE-RSA-AES256-CCM8

0xC0,0xA4

TLS_PSK_WITH_AES_128_CCMTLS_PSK_AES_128_CCMPSK-AES128-CCM
& k4 k( o3 }" i

0xC0,0xA5

TLS_PSK_WITH_AES_256_CCMTLS_PSK_AES_256_CCMPSK-AES256-CCM

0xC0,0xA6

TLS_DHE_PSK_WITH_AES_128_CCMTLS_DHE_PSK_AES_128_CCMDHE-PSK-AES128-CCM
+ ]$ A# ^; ~) Z" V( H- Z8 e) g/ w' j

0xC0,0xA7

TLS_DHE_PSK_WITH_AES_256_CCMTLS_DHE_PSK_AES_256_CCMDHE-PSK-AES256-CCM
, m0 Y" J" d+ W

0xC0,0xA8

TLS_PSK_WITH_AES_128_CCM_8TLS_PSK_AES_128_CCM_8PSK-AES128-CCM8

0xC0,0xA9

TLS_PSK_WITH_AES_256_CCM_8TLS_PSK_AES_256_CCM_8PSK-AES256-CCM8
/ h/ w8 O" }, u- e8 {. k3 H0 q

0xC0,0xAA

TLS_PSK_DHE_WITH_AES_128_CCM_8TLS_DHE_PSK_AES_128_CCM_8DHE-PSK-AES128-CCM8

0xC0,0xAB

TLS_PSK_DHE_WITH_AES_256_CCM_8TLS_DHE_PSK_AES_256_CCM_8DHE-PSK-AES256-CCM8

0xC0,0xAC

TLS_ECDHE_ECDSA_WITH_AES_128_CCMTLS_ECDHE_ECDSA_AES_128_CCMECDHE-ECDSA-AES128-CCM
) m9 l# F; a! q, T- K

0xC0,0xAD

TLS_ECDHE_ECDSA_WITH_AES_256_CCMTLS_ECDHE_ECDSA_AES_256_CCMECDHE-ECDSA-AES256-CCM

0xC0,0xAE

TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8TLS_ECDHE_ECDSA_AES_128_CCM_8ECDHE-ECDSA-AES128-CCM8

0xC0,0xAF

TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8TLS_ECDHE_ECDSA_AES_256_CCM_8ECDHE-ECDSA-AES256-CCM8

The table above was automatically generated via: https://github.com/marumari/tls-table/blob/master/tls-table.py.

Colors correspond to the Modern, Intermediate, and Old compatibility levels. Each compatibility level is a superset of the more modern levels above it.

GnuTLS ciphersuite

Unlike OpenSSL, GnuTLS will panic if you give it ciphers aren't supported by the library. That makes it very difficult to share a default ciphersuite to use in GnuTLS. The next best thing is using the following ciphersuite, and removing the components that break on your own version:

NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL

A ciphersuite can be tested in GnuTLS using gnutls-cli.

[color=white !important][size=1em]?

[size=1em]1 [size=1em]2 8 I8 L5 I* T: d6 X7 N4 t [size=1em]3 [size=1em]4 / r% t: t3 `3 U& Q2 {( D [size=1em]5 & S/ V) N: F7 J3 R) ^ [size=1em]6 " H5 ^, x' v. {) ]$ |- L5 V [size=1em]7 [size=1em]8 4 W* ^1 v: |1 D- [! o# f' `1 g [size=1em]9 [size=1em]10 / d# c, |% y7 z$ C$ H [size=1em]11 [size=1em]12 0 f9 x8 |0 N( I) \ [size=1em]13 , G" s2 P- M% [% U [size=1em]14 [size=1em]15 [size=1em]16 ) k# x/ ?5 ~5 @1 |4 K [size=1em]17 [size=1em]18 2 ?4 @# H; V  l. I- s& g& J [size=1em]19 [size=1em]20 + C6 h' W4 ^' E! l [size=1em]21 " d- j4 L- S# m9 o# w [size=1em]22 [size=1em]23   P+ U, @+ m& n4 ]" R6 K3 w [size=1em]24

[size=1em][size=1em]$ gnutls-cli --version [size=1em]gnutls-cli 3.1.26 # Z& z; P2 ?8 u0 |$ a 8 c$ J( g2 x& X! Y[size=1em]$ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULLCipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL 2 h# g' _5 _( w7 o[size=1em]TLS_ECDHE_RSA_AES_128_GCM_SHA256                    0xc0, 0x2f  TLS1.2 9 V$ L* M$ {: s0 u; S[size=1em]TLS_ECDHE_RSA_AES_128_CBC_SHA256                    0xc0, 0x27  TLS1.0 [size=1em]TLS_ECDHE_RSA_AES_128_CBC_SHA1                      0xc0, 0x13  SSL3.0 [size=1em]TLS_ECDHE_RSA_AES_256_CBC_SHA1                      0xc0, 0x14  SSL3.0 # {; A$ t+ H, f! ~9 t2 {[size=1em]TLS_DHE_RSA_AES_128_GCM_SHA256                      0x00, 0x9e  TLS1.2 [size=1em]TLS_DHE_RSA_AES_128_CBC_SHA256                      0x00, 0x67  TLS1.0 [size=1em]TLS_DHE_RSA_AES_128_CBC_SHA1                        0x00, 0x33  SSL3.0 [size=1em]TLS_DHE_RSA_AES_256_CBC_SHA256                      0x00, 0x6b  TLS1.0 [size=1em]TLS_DHE_RSA_AES_256_CBC_SHA1                        0x00, 0x39  SSL3.0 [size=1em]TLS_RSA_AES_128_GCM_SHA256                          0x00, 0x9c  TLS1.2 . W& e6 ]$ ?7 H! o! H[size=1em]TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.0 [size=1em]TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0 # @: q& ~# O* w/ [7 t! r[size=1em]TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.0 [size=1em]TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0 3 I6 w( L" _9 i [size=1em]Certificate types: none : N  ?: s1 Q  j/ A/ M[size=1em]Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0   B  P0 N$ J/ g) Q[size=1em]Compression: COMP-NULL [size=1em]Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1 [size=1em]PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-SHA224, SIGN-RSA-SHA1, SIGN-DSA-SHA256, SIGN-DSA-SHA224, SIGN-DSA-SHA1 ; ~. N- d$ N% c" K7 K

; M. ?' ], v; x4 ]- C

A good way to debug the ciphersuite is by performing a test connection. If the ciphersuite isn't supported, gnutls-cli will stop reading it at the component that is causing the issue.

[color=white !important][size=1em]?

[size=1em]1 + N% t- n7 E& x6 _* ?2 A9 |- T [size=1em]2 3 Y/ y% X1 W# A+ S" `& D [size=1em]3

[size=1em][size=1em]$ gnutls-cli --debug 9999 google.com --priority 'NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL' [size=1em]|<2>| ASSERT: gnutls_priority.c:812 3 ?$ @9 `8 M) l6 V% ~# [7 {[size=1em]Syntax error at: +SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+SHA256:+SHA384:+SHA1:+COMP-NULL 2 ~9 S# x9 A) p/ z6 g& z4 S

; k3 g7 T/ ^" [" A) g' c) |/ O

In the example above, the component SIGN-RSA-SHA224 is not supported by this version of gnutls and should be removed from the ciphersuite.

Version History

Version	Editor	Changes
4	Julien Vehent	Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON
3.8	Julien Vehent	redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)
3.7	Julien Vehent	cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)
3.6	Julien Vehent	bump intermediate DHE to 2048, add note about java compatibility
3.5	alm	comment on weakdh vulnerability
3.4	Julien Vehent	added note about session resumption, HSTS, and HPKP
3.3	Julien Vehent	fix SHA256 prio, add POODLE details, update various templates
3.2	Julien Vehent	Added intermediate compatibility mode, renamed other modes
3.1	Julien Vehent	Added non-backward compatible ciphersuite
3	Julien Vehent	Remove RC4 for 3DES, fix ordering in openssl 0.9.8 (1024430), various minor updates
2.5.1	Julien Vehent	Revisit ELB capabilities
2.5	Julien Vehent	Update ZLB information for OCSP Stapling and ciphersuite
2.4	Julien Vehent	Moved a couple of aes128 above aes256 in the ciphersuite
2.3	Julien Vehent	Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)
2.2	Julien Vehent	Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool
2.1	Julien Vehent	RC4 vs 3DES discussion. r=joes r=tinfoil
2.0	Julien Vehent, kang	Public release.
1.5	Julien Vehent, kang	added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf
1.4	Julien Vehent	revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.
1.3	Julien Vehent	added netscaler example conf
1.2	Julien Vehent	ciphersuite update, bump DHE-AESGCM above ECDH-RC4
1.1	Julien Vehent, kang	integrated review comments from Infra; SPDY information
1.0	Julien Vehent	creation
Document Status:		READY