Personal tools

Security/Server Side TLS

From MozillaWiki

Jump to: navigation, search

The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below.

The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.

Document Status Major Versions
READY
  • Version 2.5.1: ulfr: Revisit ELB capabilities
  • Version 2.5: ulfr: Update ZLB information for OCSP Stapling and ciphersuite
  • Version 2.4: ulfr: Moved a couple of aes128 above aes256 in the ciphersuite
  • Version 2.3: ulfr: Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)
  • Version 2.2: ulfr: Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool
  • Version 2.1: ulfr: RC4 vs 3DES discussion. r=joes r=tinfoil
  • Version 2: Public release. r=ulfr r=kang
  • Version 1.5: Julien Vehent (ulfr) added details for PFS DHE handshake, added nginx configuration details; Guillaume Destuynder (kang): added Apache recommended conf
  • Version 1.4: ulfr: revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.
  • Version 1.3: ulfr: added netscaler example conf
  • Version 1.2: ulfr: ciphersuite update: bump DHE-AESGCM above ECDH-RC4
  • Version 1.1: ulfr: integrated review comments from Infra; kang: SPDY information
  • Version 1: ulfr: creation

Recommended Ciphersuite

The general purpose ciphersuite at the time of this writing is:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite above and let OpenSSL pick the ones it supports.

The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect forward secrecy.

The listing below shows the list of algorithms returned by this ciphersuite. If you have to pick them manually for your application, make sure you keep this ordering.

Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL.

$ openssl ciphers -v 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:
AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK' |column -t

ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH        Au=RSA    Enc=AESGCM(128)    Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH        Au=RSA    Enc=AESGCM(256)    Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD
DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH          Au=RSA    Enc=AESGCM(128)    Mac=AEAD
DHE-DSS-AES128-GCM-SHA256      TLSv1.2  Kx=DH          Au=DSS    Enc=AESGCM(128)    Mac=AEAD
DHE-DSS-AES256-GCM-SHA384      TLSv1.2  Kx=DH          Au=DSS    Enc=AESGCM(256)    Mac=AEAD
DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH          Au=RSA    Enc=AESGCM(256)    Mac=AEAD
ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH        Au=RSA    Enc=AES(128)       Mac=SHA256
ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AES(128)       Mac=SHA256
ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH        Au=RSA    Enc=AES(128)       Mac=SHA1
ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH        Au=ECDSA  Enc=AES(128)       Mac=SHA1
ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH        Au=RSA    Enc=AES(256)       Mac=SHA384
ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH        Au=ECDSA  Enc=AES(256)       Mac=SHA384
ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH        Au=RSA    Enc=AES(256)       Mac=SHA1
ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH        Au=ECDSA  Enc=AES(256)       Mac=SHA1
DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH          Au=RSA    Enc=AES(128)       Mac=SHA256
DHE-RSA-AES128-SHA             SSLv3    Kx=DH          Au=RSA    Enc=AES(128)       Mac=SHA1
DHE-DSS-AES128-SHA256          TLSv1.2  Kx=DH          Au=DSS    Enc=AES(128)       Mac=SHA256
DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH          Au=RSA    Enc=AES(256)       Mac=SHA256
DHE-DSS-AES256-SHA             SSLv3    Kx=DH          Au=DSS    Enc=AES(256)       Mac=SHA1
DHE-RSA-AES256-SHA             SSLv3    Kx=DH          Au=RSA    Enc=AES(256)       Mac=SHA1
AES128-GCM-SHA256              TLSv1.2  Kx=RSA         Au=RSA    Enc=AESGCM(128)    Mac=AEAD
AES256-GCM-SHA384              TLSv1.2  Kx=RSA         Au=RSA    Enc=AESGCM(256)    Mac=AEAD
ECDHE-RSA-RC4-SHA              SSLv3    Kx=ECDH        Au=RSA    Enc=RC4(128)       Mac=SHA1
ECDHE-ECDSA-RC4-SHA            SSLv3    Kx=ECDH        Au=ECDSA  Enc=RC4(128)       Mac=SHA1
SRP-DSS-AES-128-CBC-SHA        SSLv3    Kx=SRP         Au=DSS    Enc=AES(128)       Mac=SHA1
SRP-RSA-AES-128-CBC-SHA        SSLv3    Kx=SRP         Au=RSA    Enc=AES(128)       Mac=SHA1
DH-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AESGCM(128)    Mac=AEAD
DH-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AESGCM(128)    Mac=AEAD
DH-RSA-AES128-SHA256           TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AES(128)       Mac=SHA256
DH-DSS-AES128-SHA256           TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AES(128)       Mac=SHA256
DHE-DSS-AES128-SHA             SSLv3    Kx=DH          Au=DSS    Enc=AES(128)       Mac=SHA1
DH-RSA-AES128-SHA              SSLv3    Kx=DH/RSA      Au=DH     Enc=AES(128)       Mac=SHA1
DH-DSS-AES128-SHA              SSLv3    Kx=DH/DSS      Au=DH     Enc=AES(128)       Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AESGCM(128)    Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AESGCM(128)    Mac=AEAD
ECDH-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AES(128)       Mac=SHA256
ECDH-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AES(128)       Mac=SHA256
ECDH-RSA-AES128-SHA            SSLv3    Kx=ECDH/RSA    Au=ECDH   Enc=AES(128)       Mac=SHA1
ECDH-ECDSA-AES128-SHA          SSLv3    Kx=ECDH/ECDSA  Au=ECDH   Enc=AES(128)       Mac=SHA1
AES128-SHA256                  TLSv1.2  Kx=RSA         Au=RSA    Enc=AES(128)       Mac=SHA256
AES128-SHA                     SSLv3    Kx=RSA         Au=RSA    Enc=AES(128)       Mac=SHA1
SRP-DSS-AES-256-CBC-SHA        SSLv3    Kx=SRP         Au=DSS    Enc=AES(256)       Mac=SHA1
SRP-RSA-AES-256-CBC-SHA        SSLv3    Kx=SRP         Au=RSA    Enc=AES(256)       Mac=SHA1
DH-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AESGCM(256)    Mac=AEAD
DH-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AESGCM(256)    Mac=AEAD
DHE-DSS-AES256-SHA256          TLSv1.2  Kx=DH          Au=DSS    Enc=AES(256)       Mac=SHA256
DH-RSA-AES256-SHA256           TLSv1.2  Kx=DH/RSA      Au=DH     Enc=AES(256)       Mac=SHA256
DH-DSS-AES256-SHA256           TLSv1.2  Kx=DH/DSS      Au=DH     Enc=AES(256)       Mac=SHA256
DH-RSA-AES256-SHA              SSLv3    Kx=DH/RSA      Au=DH     Enc=AES(256)       Mac=SHA1
DH-DSS-AES256-SHA              SSLv3    Kx=DH/DSS      Au=DH     Enc=AES(256)       Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AESGCM(256)    Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AESGCM(256)    Mac=AEAD
ECDH-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH/RSA    Au=ECDH   Enc=AES(256)       Mac=SHA384
ECDH-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH/ECDSA  Au=ECDH   Enc=AES(256)       Mac=SHA384
ECDH-RSA-AES256-SHA            SSLv3    Kx=ECDH/RSA    Au=ECDH   Enc=AES(256)       Mac=SHA1
ECDH-ECDSA-AES256-SHA          SSLv3    Kx=ECDH/ECDSA  Au=ECDH   Enc=AES(256)       Mac=SHA1
AES256-SHA256                  TLSv1.2  Kx=RSA         Au=RSA    Enc=AES(256)       Mac=SHA256
AES256-SHA                     SSLv3    Kx=RSA         Au=RSA    Enc=AES(256)       Mac=SHA1
RC4-SHA                        SSLv3    Kx=RSA         Au=RSA    Enc=RC4(128)       Mac=SHA1
DHE-RSA-CAMELLIA256-SHA        SSLv3    Kx=DH          Au=RSA    Enc=Camellia(256)  Mac=SHA1
DHE-DSS-CAMELLIA256-SHA        SSLv3    Kx=DH          Au=DSS    Enc=Camellia(256)  Mac=SHA1
DH-RSA-CAMELLIA256-SHA         SSLv3    Kx=DH/RSA      Au=DH     Enc=Camellia(256)  Mac=SHA1
DH-DSS-CAMELLIA256-SHA         SSLv3    Kx=DH/DSS      Au=DH     Enc=Camellia(256)  Mac=SHA1
CAMELLIA256-SHA                SSLv3    Kx=RSA         Au=RSA    Enc=Camellia(256)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA        SSLv3    Kx=DH          Au=RSA    Enc=Camellia(128)  Mac=SHA1
DHE-DSS-CAMELLIA128-SHA        SSLv3    Kx=DH          Au=DSS    Enc=Camellia(128)  Mac=SHA1
DH-RSA-CAMELLIA128-SHA         SSLv3    Kx=DH/RSA      Au=DH     Enc=Camellia(128)  Mac=SHA1
DH-DSS-CAMELLIA128-SHA         SSLv3    Kx=DH/DSS      Au=DH     Enc=Camellia(128)  Mac=SHA1
CAMELLIA128-SHA                SSLv3    Kx=RSA         Au=RSA    Enc=Camellia(128)  Mac=SHA1

The ciphers are described here: http://www.openssl.org/docs/apps/ciphers.html

Prioritization logic

  1. ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers.
  2. PFS ciphersuites are preferred, with ECDHE first, then DHE.
  3. AES 128 is preferred to AES 256. There has been [discussions] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
  4. AES is preferred to RC4. BEAST attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In comparison, attacks on RC4 are not mitigated and likely to become more and more dangerous.
  5. RC4 is on the path to removal, but still present for backward compatibility, see the discussion in #RC4_weaknesses

Mandatory discards

  • aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks
  • eNULL contains null-encryption ciphers (cleartext)
  • EXPORT are legacy weak ciphers that were marked as exportable by US law
  • DES contains ciphers that use the deprecated Data Encryption Standard
  • SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
  • MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm

Forward Secrecy

The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.

With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.

DHE handshake and dhparam

When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.

As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:

  1. Server sends Client a [SERVER KEY EXCHANGE] message during the SSL Handshake. The message contains:
    1. Prime number p
    2. Generator g
    3. Server's Diffie-Hellman public value A = g^X mod p, where X is a private integer chosen by the server at random, and never shared with the client.
    4. signature S of the above (plus two random values) computed using the Server's private RSA key
  2. Client verifies the signature S
  3. Client sends server a [CLIENT KEY EXCHANGE] message. The message contains:
    1. Client's Diffie-Hellman public value B = g^Y mod p, where Y is a private integer chosen at random and never shared.
  4. The Server and the Client can now calculate the pre-master secret using each other's public values:
    1. server calculates PMS = B^X mod p
    2. client calculates PMS = A^Y mod p
  5. Client sends a [CHANGE CIPHER SPEC] message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES

The size of the prime number p constrains the size of the pre-master key PMS, because of the modulo operation. A smaller prime almost means weaker values of A and B, which could leak the secret values X and Y. Thus, the prime p should not be smaller than the size of the RSA private key.

$ openssl dhparam 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
..+..+...............+
-----BEGIN DH PARAMETERS-----
MBYCEQCHU6UNZoHMF6bPtj21Hn/bAgEC.....
......
-----END DH PARAMETERS-----

OCSP Stapling

When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.

OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. In fact, the OCSP responders operated by CAs are often so unreliable that browser will fail silently if no response is received in a timely manner. This reduces security, by allowing an attacker to DoS an OCSP responder to disable the validation.

The solution is to allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.

The server will send a cached OCSP response only if the client requests it, by announcing support for the status_request TLS extension in its CLIENT HELLO.

Most servers will cache OCSP response for up to 48 hours. At regular intervals, the server will connect to the OCSP responder of the CA to retrieve a fresh OCSP record. The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate. For example, with StartSSL:

Authority Information Access: 
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca

Support for OCSP Stapling can be tested using the -status option of the OpenSSL client.

$ openssl s_client -connect monitor.mozillalabs.com:443 -status
...
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
...

Recommended Server Configurations

Nginx

Nginx provides the best TLS support at the moment. It is the only daemon that provides OCSP Stapling, custom DH parameters, and the full flavor of TLS versions (from OpenSSL).

The detail of each configuration parameter, and how to build a recent Nginx with OpenSSL, is at the end of this document.

server {
    listen 443;
    ssl on;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers '<recommended ciphersuite from top of this page>';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
 
    # Enable this if your want HSTS (recommended, but be careful)
    # add_header Strict-Transport-Security max-age=15768000;
 
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    resolver <IP DNS resolver>;
 
    ....
}

Apache

Originally published on https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/

OCSP Stapling is only available in httpd 2.3.3 and later.

In Apache 2.4.6, the DH parameter is always set to 1024 bits and is not user configurable. Future versions of Apache will automatically select a better value for the DH parameter. The configuration below is recommended.

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile   /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs
    SSLProtocol             all -SSLv2
    SSLCipherSuite          <recommended ciphersuite from top of this page>
    SSLHonorCipherOrder     on
    SSLCompression          off

    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 
    # Enable this if your want HSTS (recommended, but be careful)
    # Header add Strict-Transport-Security "max-age=15768000"
 
    ...
</VirtualHost>

Haproxy

SSL support in Haproxy is still Beta and shouldn't be used to terminate production SSL traffic. Haproxy lacks support for OCSP Stapling. All other features are available, including custom dhparams.

frontend ft_test
  mode    http
  bind    0.0.0.0:443 ssl crt /path/to/<cert+privkey+intermediate+dhparam> ciphers <recommended_ciphersuite>
  # Enable this if your want HSTS (recommended, but be careful)
  # rspadd  Strict-Transport-Security:\ max-age=15768000

Stud

Stud is a lightweight SSL termination proxy. It's basically a wrapper for OpenSSL. Stud is not being heavily developed, and features such as OCSP stapling are missing. But it is very lightweight and efficient, and with a recent openssl, supports all the TLS 1.2 ciphers.

# SSL x509 certificate file. REQUIRED.
# List multiple certs to use SNI. Certs are used in the order they
# are listed; the last cert listed will be used if none of the others match
#
# type: string
pem-file = "<concatenate cert + privkey + dhparam>"
 
# SSL protocol.
#
tls = on
ssl = on
 
# List of allowed SSL ciphers.
#
# Run openssl ciphers for list of available ciphers.
# type: string
ciphers = "<recommended ciphersuite from top of this page>"
 
# Enforce server cipher list order
#
# type: boolean
prefer-server-ciphers = on

Amazon Web Services Elastic Load Balancer (AWS ELB)

The ELB service support TLS 1.2 and ciphers ordering. It lacks support for custom DH parameters and OCSP Stapling.

The default configuration of ELBs has sane settings, that can be customized in the Web Console or via the API. We do still recommend that you enforce the ciphersuite using this script: https://github.com/mozilla/identity-ops/blob/master/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py

If you want better control over TLS than ELB provide, another option in AWS is to terminate SSL on HAproxy, using the PROXY protocol between ELB and HAproxy. http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

Zeus Load Balancer(Riverbed Stingray)

ZLB supports TLS1.1 and OCSP Stapling. It lacks support for TLS 1.2, Elliptic Curves and AES-GCM. ZLB takes only one global ciphersuite for all sites it manages. However, the OCSP Stapling setting is configurable per-site.

The recommended prioritization is:

  1. DHE-RSA-AES128-SHA
  2. DHE-RSA-AES256-SHA
  3. AES128-SHA
  4. AES256-SHA
  5. RC4-SHA

The following string can be used directly in the ZLB configuration, under global settings > ssl3_ciphers (see capture below):

SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA

Ssl!ssl3 ciphers.png

While the recommended DH prime size is 2048, problems with client libraries, such as Java 6, make this impossible to deploy for now. Therefore, a DH prime of 1024 bits should be used until all clients are compatible with larger primes.

Citrix Netscaler

There is an issue with Netscaler's TLS1.2 and DHE ciphers. When DHE is used, the TLS handshake fails with a fatal 'Decode error'. TLS1.2 works fine with AES and RC4 ciphers.

Netscaler documentation is at http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-supported-ciphers-list-ref.html

The configuration sample below shows how a default ciphersuite object can be created and attached to a vserver.

First, create a default ciphersuite that can be used in all vservers.

> add ssl cipher MozillaDefault
> bind ssl cipher MozillaDefault -cipherName TLS1-AES-128-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-AES-256-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName SSL3-RC4-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

Second, create a DH parameter. If backward compatibility with Java 6 isn't needed, use 2048 instead of 1024.

> create ssl dhparam /nsconfig/ssl/dh1024.pem 1024 -gen 5

Third, configure the vserver to use the default ciphersuite and DH parameter.

> add ssl certKey <domain> -cert <cert> -key <key>
> add ssl certKey <intermediateCertName> -cert <intermediateCertName>
> link ssl certKey <domain> <intermediateCertName>
> set ssl vserver <domain>:https -eRSA ENABLED
> bind ssl vserver <domain>:https -cipherName MozillaDefault
> set ssl vserver <domain>:https -dh ENABLED -dhFile /nsconfig/ssl/dh1024.pem -dhCount 1000

The resulting configuration can be viewed with 'show ssl'

> show ssl vserver marketplace.firefox.com:https

    Advanced SSL configuration for VServer marketplace.firefox.com:https:
    DH: ENABLED    DHParam File: /nsconfig/ssl/dh1024.pem    Refresh Count: 1000
    Ephemeral RSA: ENABLED        Refresh Count: 0
    Session Reuse: ENABLED        Timeout: 120 seconds
    Cipher Redirect: DISABLED
    SSLv2 Redirect: DISABLED
    ClearText Port: 0
    Client Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SNI: DISABLED
    SSLv2: DISABLED    SSLv3: ENABLED    TLSv1: ENABLED
    Push Encryption Trigger: Always
    Send Close-Notify: YES

1)    CertKey Name: marketplace.mozilla.org.san    Server Certificate
1)    Cipher Name: MozillaSecure    Description: User Created Cipher Group

CipherScan

See https://github.com/jvehent/cipherscan

Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It's an easy way to test a web server for available ciphers, but not as comprehensive as SSLLabs.

The example below shows the expected output of CipherScan with the recommended ciphersuite.

$ ./CiphersScan.sh jve.linuxwall.info:443
prio  ciphersuite                  protocol  pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2   ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2   ECDH,P-256,256bits
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2   DH,2048bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2   DH,2048bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2   ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1.2   ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2   ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1.2   ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2   DH,2048bits
10    DHE-RSA-AES128-SHA           TLSv1.2   DH,2048bits
11    DHE-RSA-AES256-SHA256        TLSv1.2   DH,2048bits
12    AES128-GCM-SHA256            TLSv1.2
13    AES256-GCM-SHA384            TLSv1.2
14    ECDHE-RSA-RC4-SHA            TLSv1.2   ECDH,P-256,256bits
15    RC4-SHA                      TLSv1.2
16    DHE-RSA-AES256-SHA           TLSv1.2   DH,2048bits
17    DHE-RSA-CAMELLIA256-SHA      TLSv1.2   DH,2048bits
18    AES256-SHA256                TLSv1.2
19    AES256-SHA                   TLSv1.2
20    CAMELLIA256-SHA              TLSv1.2
21    DHE-RSA-CAMELLIA128-SHA      TLSv1.2   DH,2048bits
22    AES128-SHA256                TLSv1.2
23    AES128-SHA                   TLSv1.2
24    CAMELLIA128-SHA              TLSv1.2

SSL Labs (Qualys)

Available here: https://www.ssllabs.com/ssltest/

Qualys SSL Labs provides a comprehensive SSL testing suite.

GlobalSign has a modified interface of SSL Labs that is interesting as well: https://sslcheck.globalsign.com/

Appendices

Supported ciphers on various systems

On a variety of ~900 systems (RHEL5 & 6, CentOS 5 & 6 and Ubuntu), the following versions of OpenSSL were found:

37 OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
35 OpenSSL 0.9.8k 25 Mar 2009
777 OpenSSL 1.0.0-fips 29 Mar 2010
18 OpenSSL 1.0.1 14 Mar 2012

The recommended ciphersuite was tested on each system. The list below shows the ciphersuites supported by all tested systems. However old your setup may be, it is safe to assume that the following ciphers are going to be available:

  • RC4-SHA
  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DHE-DSS-AES128-SHA
  • DHE-DSS-AES256-SHA

Attacks on TLS

BEAST CVE-2011-3389

Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a MITM attacker to recover plaintext values by encrypting the same message multiple times.

BEAST is mitigated in TLS1.1 and above.

more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack

LUCKY13

Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.

more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html

RC4 weaknesses

It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large number of times, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to remove RC4 from the list of trusted ciphers.

In a public discussion ([bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.

While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing 3DES with RC4 is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis.

For information, the following ciphersuite replaces RC4 with 3DES:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

CRIME CVE-2012-4929

The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.

more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

BREACH

This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).

In order to be successful, it requires to:

  1. Be served from a server that uses HTTP-level compression
  2. Reflect user-input in HTTP response bodies
  3. Reflect a secret (such as a CSRF token) in HTTP response bodies

more: http://breachattack.com/

SPDY

(see also http://en.wikipedia.org/wiki/SPDY and http://www.chromium.org/spdy/spdy-protocol)

SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.

SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.

TLS tickets (RFC 5077)

Once a TLS handshake has been negociated between the server and the client, both may exchange a session ticket, which contains an AES-CBC 128bit key which can decrypt the session. This key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it's stored in a file and also kept upon restarts).

The current work-around is to disable RFC 5077 support.

more: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf

Nginx configuration details

Originally published on Julien Vehent's blog at https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL

Building Nginx

To build Nginx from source, you will need a copy of the PCRE and OpenSSL libraries:

Decompress both libraries next to the Nginx source code:

julien@sachiel:~/nginx_openssl$ ls
build_static_nginx.sh  nginx  openssl-1.0.1e  pcre-8.33

The script build_static_nginx.sh takes care of the rest. It should work out of the box, but you might have to edit the paths if you have different versions of the libraries. I builds a static version of OpenSSL into Nginx, so you don't have to install the openssl libs afterward.

#!/usr/bin/env bash
export BPATH=$(pwd)
export STATICLIBSSL="$BPATH/staticlibssl"

#-- Build static openssl
cd $BPATH/openssl-1.0.1e
rm -rf "$STATICLIBSSL"
mkdir "$STATICLIBSSL"
make clean
./config --prefix=$STATICLIBSSL no-shared enable-ec_nistp_64_gcc_128 \
&& make depend \
&& make \
&& make install_sw

#-- Build nginx
hg clone http://hg.nginx.org/nginx
cd $BPATH/nginx
mkdir -p $BPATH/opt/nginx
hg pull
./auto/configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--prefix=$BPATH/opt/nginx \
--with-pcre=$BPATH/pcre-8.33 \
--with-http_ssl_module \
--with-http_spdy_module \
--with-file-aio \
--with-ipv6 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
&& make && make install
NGINXBIN=$BPATH/opt/nginx/sbin/nginx
if [ -x $NGINXBIN ]; then
    $NGINXBIN -V
    echo -e "\nNginx binary build in $BPATH/opt/nginx/sbin/nginx\n"
fi

Server Name Identification

Support for SNI is built into recent versions of nginx. Use nginx -V to check:

# /opt/nginx -V
...
TLS SNI support enabled
...

Configuration directives

ssl_certificate

This parameter points to file that contains the server and intermediate certificates, concatenated together. Nginx loads that file and sends its content in the SERVER HELLO message during the handshake.

ssl_certificate_key

This is the path to the private key.

ssl_dhparam

Nginx lets you specify the prime number you want the server to send to the client in the ssl_dhparam directive. The prime number is sent by the server to the client in the Server Key Exchange message of the handshake. To generate the dhparam, use openssl dhparam 2048 (or any appropriate size).

A word of warning though, it appears that Java 6 does not support dhparam larger than 1024 bits. Clients that use Java 6 won't be able to connect to your site if you use a larger dhparam.

ssl_session_timeout

When a client connects multiple time to a server, the server uses session caching to accelerate the subsequent handshakes, effectively reusing the session key generated in the first handshake multiple times. This is called session resumption. This parameter sets the session timeout to 5 minutes, meaning that the session key will be deleted from the cache if not used for 5 minutes.

ssl_session_cache

The session cache is a shared memory that contains all the session keys. All the Nginx workers can access the shared memory. It is used for session resumption, and significantly reduces handshake latency when one client connects multiple times.

ssl_protocols

List the versions of TLS you wish to support. Remember that clients are not only web browsers, but also libraries that might be used to crawl your site.

ssl_ciphers

Takes the recommended ciphersuite as a single-quoted argument.

ssl_prefer_server_ciphers

This parameter force nginx to pick the preferred cipher from its own ciphersuite, as opposed to using the one preferred by the client. This is an important option since most clients have unsafe or outdated preferences, and you'll most likely provide better security by enforcing a strong cipher server-side.

HTTP Strict Transport Security

HSTS is a HTTP header that tells clients to connect to the site using HTTPS only. It enforces security, by telling clients that any HTTP URL to a given site should be ignored. The directive is cached on the client size for the duration of max-age.

ssl_stapling

Nginx supports OCSP stapling in two modes. The OCSP file can be downloaded and made available to nginx, or nginx itself can retrieve the OCSP record and cache it. The second mode is recommended.

ssl_stapling_verify

Nginx has the ability to verify the OCSP record before caching it. To enable it, a list of trusted certificate must be available in the ssl_trusted_certificate parameter.

ssl_trusted_certificate

This is a path to a file where CA certificates are concatenated. For ssl_stapling_verify to work, this file must contain the Root CA cert and the Intermediate CA certificates.

resolver

Nginx needs a DNS resolver to obtain the IP address of the OCSP responder.

Cipher names correspondence table

IANA, OpenSSL and GnuTLS use different naming for the same ciphers. The table below matches some of these ciphers:

hex value IANA OpenSSL GnuTLS NSS
0x00,0x00 TLS_NULL_WITH_NULL_NULL SSL_NULL_WITH_NULL_NULL
0x00,0x01 TLS_RSA_WITH_NULL_MD5 NULL-MD5 TLS_RSA_NULL_MD5 SSL_RSA_WITH_NULL_MD5
0x00,0x02 TLS_RSA_WITH_NULL_SHA NULL-SHA TLS_RSA_NULL_SHA1 SSL_RSA_WITH_NULL_SHA
0x00,0x03 TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 TLS_RSA_EXPORT_ARCFOUR_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5
0x00,0x04 TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 TLS_RSA_ARCFOUR_MD5 SSL_RSA_WITH_RC4_128_MD5
0x00,0x05 TLS_RSA_WITH_RC4_128_SHA RC4-SHA TLS_RSA_ARCFOUR_SHA1 SSL_RSA_WITH_RC4_128_SHA
0x00,0x06 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
0x00,0x07 TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA SSL_RSA_WITH_IDEA_CBC_SHA
0x00,0x08 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
0x00,0x09 TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_WITH_DES_CBC_SHA
0x00,0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA TLS_RSA_3DES_EDE_CBC_SHA1
0x00,0x0B TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
0x00,0x0C TLS_DH_DSS_WITH_DES_CBC_SHA
0x00,0x0D TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
0x00,0x0E TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
0x00,0x0F TLS_DH_RSA_WITH_DES_CBC_SHA
0x00,0x10 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
0x00,0x11 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
0x00,0x12 TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-DES-CBC-SHA SSL_DHE_DSS_WITH_DES_CBC_SHA
0x00,0x13 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA TLS_DHE_DSS_3DES_EDE_CBC_SHA1 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
0x00,0x14 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
0x00,0x15 TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_DES_CBC_SHA
0x00,0x16 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_3DES_EDE_CBC_SHA1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
0x00,0x17 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5
0x00,0x18 TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 TLS_DH_ANON_ARCFOUR_MD5 SSL_DH_ANON_WITH_RC4_128_MD5
0x00,0x19 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
0x00,0x1A TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
0x00,0x1B TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA TLS_DH_ANON_3DES_EDE_CBC_SHA1
0x00,0x1E TLS_KRB5_WITH_DES_CBC_SHA KRB5-DES-CBC-SHA
0x00,0x1F TLS_KRB5_WITH_3DES_EDE_CBC_SHA KRB5-DES-CBC3-SHA
0x00,0x20 TLS_KRB5_WITH_RC4_128_SHA KRB5-RC4-SHA
0x00,0x21 TLS_KRB5_WITH_IDEA_CBC_SHA KRB5-IDEA-CBC-SHA
0x00,0x22 TLS_KRB5_WITH_DES_CBC_MD5 KRB5-DES-CBC-MD5
0x00,0x23 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 KRB5-DES-CBC3-MD5
0x00,0x24 TLS_KRB5_WITH_RC4_128_MD5 KRB5-RC4-MD5
0x00,0x25 TLS_KRB5_WITH_IDEA_CBC_MD5 KRB5-IDEA-CBC-MD5
0x00,0x26 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA EXP-KRB5-DES-CBC-SHA
0x00,0x27 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA EXP-KRB5-RC2-CBC-SHA
0x00,0x28 TLS_KRB5_EXPORT_WITH_RC4_40_SHA EXP-KRB5-RC4-SHA
0x00,0x29 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 EXP-KRB5-DES-CBC-MD5
0x00,0x2A TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 EXP-KRB5-RC2-CBC-MD5
0x00,0x2B TLS_KRB5_EXPORT_WITH_RC4_40_MD5 EXP-KRB5-RC4-MD5
0x00,0x2C TLS_PSK_WITH_NULL_SHA
0x00,0x2D TLS_DHE_PSK_WITH_NULL_SHA
0x00,0x2E TLS_RSA_PSK_WITH_NULL_SHA
0x00,0x2F TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_AES_128_CBC_SHA1 TLS_RSA_WITH_AES_128_CBC_SHA
0x00,0x30 TLS_DH_DSS_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA
0x00,0x31 TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA
0x00,0x32 TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA TLS_DHE_DSS_AES_128_CBC_SHA1 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
0x00,0x33 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA TLS_DHE_RSA_AES_128_CBC_SHA1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0x00,0x34 TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA TLS_DH_ANON_AES_128_CBC_SHA1 TLS_DH_ANON_WITH_AES_128_CBC_SHA
0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA TLS_RSA_AES_256_CBC_SHA1 TLS_RSA_WITH_AES_256_CBC_SHA
0x00,0x36 TLS_DH_DSS_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA
0x00,0x37 TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA
0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA TLS_DHE_DSS_AES_256_CBC_SHA1 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA TLS_DHE_RSA_AES_256_CBC_SHA1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
0x00,0x3A TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA TLS_DH_ANON_AES_256_CBC_SHA1 TLS_DH_ANON_WITH_AES_256_CBC_SHA
0x00,0x3B TLS_RSA_WITH_NULL_SHA256 NULL-SHA256 TLS_RSA_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
0x00,0x3C TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256 TLS_RSA_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256 TLS_RSA_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
0x00,0x3E TLS_DH_DSS_WITH_AES_128_CBC_SHA256
0x00,0x3F TLS_DH_RSA_WITH_AES_128_CBC_SHA256
0x00,0x40 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256

DES-CBC-MD5

TLS_DHE_DSS_AES_128_CBC_SHA256
0x00,0x41 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA TLS_RSA_CAMELLIA_128_CBC_SHA1 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
0x00,0x42 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
0x00,0x43 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
0x00,0x44 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE-DSS-CAMELLIA128-SHA TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
0x00,0x45 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE-RSA-CAMELLIA128-SHA TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
0x00,0x46 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA TLS_DH_ANON_CAMELLIA_128_CBC_SHA1 TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
0x00,0x67 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256 TLS_DHE_RSA_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
0x00,0x68 TLS_DH_DSS_WITH_AES_256_CBC_SHA256
0x00,0x69 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256 TLS_DHE_DSS_AES_256_CBC_SHA256
0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256 TLS_DHE_RSA_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
0x00,0x6C TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH-AES128-SHA256 TLS_DH_ANON_AES_128_CBC_SHA256
0x00,0x6D TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH-AES256-SHA256 TLS_DH_ANON_AES_256_CBC_SHA256
0x00,0x84 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA TLS_RSA_CAMELLIA_256_CBC_SHA1 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
0x00,0x85 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
0x00,0x86 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
0x00,0x87 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE-DSS-CAMELLIA256-SHA TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
0x00,0x88 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE-RSA-CAMELLIA256-SHA TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
0x00,0x89 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA TLS_DH_ANON_CAMELLIA_256_CBC_SHA1 TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
0x00,0x8A TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA TLS_PSK_SHA_ARCFOUR_SHA1
0x00,0x8B TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA TLS_PSK_SHA_3DES_EDE_CBC_SHA1
0x00,0x8C TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_SHA_AES_128_CBC_SHA1
0x00,0x8D TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA TLS_PSK_SHA_AES_256_CBC_SHA1
0x00,0x8E TLS_DHE_PSK_WITH_RC4_128_SHA TLS_DHE_PSK_SHA_ARCFOUR_SHA1
0x00,0x8F TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1
0x00,0x90 TLS_DHE_PSK_WITH_AES_128_CBC_SHA TLS_DHE_PSK_SHA_AES_128_CBC_SHA1
0x00,0x91 TLS_DHE_PSK_WITH_AES_256_CBC_SHA TLS_DHE_PSK_SHA_AES_256_CBC_SHA1
0x00,0x92 TLS_RSA_PSK_WITH_RC4_128_SHA
0x00,0x93 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
0x00,0x94 TLS_RSA_PSK_WITH_AES_128_CBC_SHA
0x00,0x95 TLS_RSA_PSK_WITH_AES_256_CBC_SHA
0x00,0x96 TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA TLS_RSA_WITH_SEED_CBC_SHA
0x00,0x97 TLS_DH_DSS_WITH_SEED_CBC_SHA
0x00,0x98 TLS_DH_RSA_WITH_SEED_CBC_SHA
0x00,0x99 TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE-DSS-SEED-SHA
0x00,0x9A TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE-RSA-SEED-SHA
0x00,0x9B TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA
0x00,0x9C TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256 TLS_RSA_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
0x00,0x9D TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
0x00,0x9E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
0x00,0x9F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
0x00,0xA0 TLS_DH_RSA_WITH_AES_128_GCM_SHA256
0x00,0xA1 TLS_DH_RSA_WITH_AES_256_GCM_SHA384
0x00,0xA2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256 TLS_DHE_DSS_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
0x00,0xA3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
0x00,0xA4 TLS_DH_DSS_WITH_AES_128_GCM_SHA256
0x00,0xA5 TLS_DH_DSS_WITH_AES_256_GCM_SHA384
0x00,0xA6 TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH-AES128-GCM-SHA256 TLS_DH_ANON_AES_128_GCM_SHA256
0x00,0xA7 TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH-AES256-GCM-SHA384
0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 TLS_PSK_AES_128_GCM_SHA256
0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_256_GCM_SHA384
0x00,0xAA TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 TLS_DHE_PSK_AES_128_GCM_SHA256
0x00,0xAB TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
0x00,0xAC TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
0x00,0xAD TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
0x00,0xAE TLS_PSK_WITH_AES_128_CBC_SHA256 TLS_PSK_AES_128_CBC_SHA256
0x00,0xAF TLS_PSK_WITH_AES_256_CBC_SHA384
0x00,0xB0 TLS_PSK_WITH_NULL_SHA256 TLS_PSK_NULL_SHA256
0x00,0xB1 TLS_PSK_WITH_NULL_SHA384
0x00,0xB2 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 TLS_DHE_PSK_AES_128_CBC_SHA256
0x00,0xB3 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
0x00,0xB4 TLS_DHE_PSK_WITH_NULL_SHA256 TLS_DHE_PSK_NULL_SHA256
0x00,0xB5 TLS_DHE_PSK_WITH_NULL_SHA384
0x00,0xB6 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
0x00,0xB7 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
0x00,0xB8 TLS_RSA_PSK_WITH_NULL_SHA256
0x00,0xB9 TLS_RSA_PSK_WITH_NULL_SHA384
0x00,0xBA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
0x00,0xBB TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
0x00,0xBC TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
0x00,0xBD TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
0x00,0xBE TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
0x00,0xBF TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
0x00,0xC0 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 DES-CBC3-MD5
0x00,0xC1 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
0x00,0xC2 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
0x00,0xC3 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
0x00,0xC4 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
0x00,0xC5 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
0x00,0xFF TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_EMPTY_RENEGOTIATION_INFO_SCSV
0xC0,0x01 TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH-ECDSA-NULL-SHA TLS_ECDH_ECDSA_WITH_NULL_SHA
0xC0,0x02 TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH-ECDSA-RC4-SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA
0xC0,0x03 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH-ECDSA-DES-CBC3-SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC0,0x04 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH-ECDSA-AES128-SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH-ECDSA-AES256-SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
0xC0,0x06 TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE-ECDSA-NULL-SHA TLS_ECDHE_ECDSA_NULL_SHA1 TLS_ECDHE_ECDSA_WITH_NULL_SHA
0xC0,0x07 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
0xC0,0x08 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC0,0x09 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xC0,0x0B TLS_ECDH_RSA_WITH_NULL_SHA ECDH-RSA-NULL-SHA TLS_ECDH_RSA_WITH_NULL_SHA
0xC0,0x0C TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH-RSA-RC4-SHA TLS_ECDH_RSA_WITH_RC4_128_SHA
0xC0,0x0D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH-RSA-DES-CBC3-SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
0xC0,0x0E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH-RSA-AES128-SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH-RSA-AES256-SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
0xC0,0x10 TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE-RSA-NULL-SHA TLS_ECDHE_RSA_NULL_SHA1 TLS_ECDHE_RSA_WITH_NULL_SHA
0xC0,0x11 TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA
0xC0,0x12 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
0xC0,0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_AES_128_CBC_SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_AES_256_CBC_SHA1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0xC0,0x15 TLS_ECDH_anon_WITH_NULL_SHA AECDH-NULL-SHA TLS_ECDH_ANON_NULL_SHA1 TLS_ECDH_anon_WITH_NULL_SHA
0xC0,0x16 TLS_ECDH_anon_WITH_RC4_128_SHA AECDH-RC4-SHA TLS_ECDH_anon_WITH_RC4_128_SHA
0xC0,0x17 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH-DES-CBC3-SHA TLS_ECDH_ANON_3DES_EDE_CBC_SHA1 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
0xC0,0x18 TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH-AES128-SHA TLS_ECDH_ANON_AES_128_CBC_SHA1 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
0xC0,0x19 TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH-AES256-SHA TLS_ECDH_ANON_AES_256_CBC_SHA1 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
0xC0,0x1A TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
0xC0,0x1B TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
0xC0,0x1C TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
0xC0,0x1D TLS_SRP_SHA_WITH_AES_128_CBC_SHA
0xC0,0x1E TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
0xC0,0x1F TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
0xC0,0x20 TLS_SRP_SHA_WITH_AES_256_CBC_SHA
0xC0,0x21 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
0xC0,0x22 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
0xC0,0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
0xC0,0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xC0,0x25 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-SHA256
0xC0,0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-SHA384
0xC0,0x27 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
0xC0,0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
0xC0,0x29 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH-RSA-AES128-SHA256
0xC0,0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH-RSA-AES256-SHA384
0xC0,0x2B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xC0,0x2C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xC0,0x2D TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
0xC0,0x2E TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384
0xC0,0x2F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x30 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_AES_256_GCM_SHA384
0xC0,0x31 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH-RSA-AES128-GCM-SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x32 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH-RSA-AES256-GCM-SHA384
0xC0,0x33 TLS_ECDHE_PSK_WITH_RC4_128_SHA
0xC0,0x34 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1
0xC0,0x35 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA TLS_ECDHE_PSK_AES_128_CBC_SHA1
0xC0,0x36 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA TLS_ECDHE_PSK_AES_256_CBC_SHA1
0xC0,0x37 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 TLS_ECDHE_PSK_AES_128_CBC_SHA256
0xC0,0x38 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 TLS_ECDHE_PSK_AES_256_CBC_SHA384
0xC0,0x39 TLS_ECDHE_PSK_WITH_NULL_SHA
0xC0,0x3A TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_ECDHE_PSK_NULL_SHA256
0xC0,0x3B TLS_ECDHE_PSK_WITH_NULL_SHA384 TLS_ECDHE_PSK_NULL_SHA384
0xC0,0x3C TLS_RSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x3D TLS_RSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x3E TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256
0xC0,0x3F TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384
0xC0,0x40 TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x41 TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x42 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256
0xC0,0x43 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384
0xC0,0x44 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x45 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x46 TLS_DH_anon_WITH_ARIA_128_CBC_SHA256
0xC0,0x47 TLS_DH_anon_WITH_ARIA_256_CBC_SHA384
0xC0,0x48 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x49 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x4A TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x4B TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x4C TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x4D TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x4E TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
0xC0,0x4F TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
0xC0,0x50 TLS_RSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x51 TLS_RSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x52 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x53 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x54 TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x55 TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x56 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256
0xC0,0x57 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384
0xC0,0x58 TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256
0xC0,0x59 TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384
0xC0,0x5A TLS_DH_anon_WITH_ARIA_128_GCM_SHA256
0xC0,0x5B TLS_DH_anon_WITH_ARIA_256_GCM_SHA384
0xC0,0x5C TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x5D TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x5E TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x5F TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x60 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x61 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x62 TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
0xC0,0x63 TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
0xC0,0x64 TLS_PSK_WITH_ARIA_128_CBC_SHA256
0xC0,0x65 TLS_PSK_WITH_ARIA_256_CBC_SHA384
0xC0,0x66 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
0xC0,0x67 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
0xC0,0x68 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
0xC0,0x69 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
0xC0,0x6A TLS_PSK_WITH_ARIA_128_GCM_SHA256
0xC0,0x6B TLS_PSK_WITH_ARIA_256_GCM_SHA384
0xC0,0x6C TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
0xC0,0x6D TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
0xC0,0x6E TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
0xC0,0x6F TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
0xC0,0x70 TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
0xC0,0x71 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
0xC0,0x72 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x73 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x74 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x75 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x76 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x77 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x78 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x79 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x7A TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x7B TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x7C TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x7D TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x7E TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x7F TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x80 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x81 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x82 TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x83 TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x84 TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x85 TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x86 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x87 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x88 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x89 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x8A TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x8B TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x8C TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x8D TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x8E TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x8F TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x90 TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x91 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x92 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
0xC0,0x93 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
0xC0,0x94 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x95 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x96 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x97 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x98 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x99 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x9A TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
0xC0,0x9B TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
0xC0,0x9C TLS_RSA_WITH_AES_128_CCM
0xC0,0x9D TLS_RSA_WITH_AES_256_CCM
0xC0,0x9E TLS_DHE_RSA_WITH_AES_128_CCM
0xC0,0x9F TLS_DHE_RSA_WITH_AES_256_CCM
0xC0,0xA0 TLS_RSA_WITH_AES_128_CCM_8
0xC0,0xA1 TLS_RSA_WITH_AES_256_CCM_8
0xC0,0xA2 TLS_DHE_RSA_WITH_AES_128_CCM_8
0xC0,0xA3 TLS_DHE_RSA_WITH_AES_256_CCM_8
0xC0,0xA4 TLS_PSK_WITH_AES_128_CCM
0xC0,0xA5 TLS_PSK_WITH_AES_256_CCM
0xC0,0xA6 TLS_DHE_PSK_WITH_AES_128_CCM
0xC0,0xA7 TLS_DHE_PSK_WITH_AES_256_CCM
0xC0,0xA8 TLS_PSK_WITH_AES_128_CCM_8
0xC0,0xA9 TLS_PSK_WITH_AES_256_CCM_8
0xC0,0xAA TLS_PSK_DHE_WITH_AES_128_CCM_8
0xC0,0xAB TLS_PSK_DHE_WITH_AES_256_CCM_8

The table above was generated with the script at https://github.com/jvehent/tlsnames

Conversion from OpenSSL to GnuTLS

Use the script at https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh to transform an OpenSSL ciphersuite into a GnuTLS one. Some ciphers might be discarded depending on the versions of OpenSSL and GnuTLS that are installed on your system.

$ ./convert_openssl_to_gnutls.sh 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
0xC0,0x2F openssl:ECDHE-RSA-AES128-GCM-SHA256 gnutls:TLS_ECDHE_RSA_AES_128_GCM_SHA256
0xC0,0x2B openssl:ECDHE-ECDSA-AES128-GCM-SHA256 gnutls:TLS_ECDHE_ECDSA_AES_128_GCM_SHA256
0xC0,0x30 openssl:ECDHE-RSA-AES256-GCM-SHA384 gnutls:TLS_ECDHE_RSA_AES_256_GCM_SHA384
0xC0,0x2C openssl:ECDHE-ECDSA-AES256-GCM-SHA384 gnutls:TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0x00,0xA3 openssl:DHE-DSS-AES256-GCM-SHA384 gnutls:
0x00,0x9F openssl:DHE-RSA-AES256-GCM-SHA384 gnutls:
0x00,0xA2 openssl:DHE-DSS-AES128-GCM-SHA256 gnutls:TLS_DHE_DSS_AES_128_GCM_SHA256
0x00,0x9E openssl:DHE-RSA-AES128-GCM-SHA256 gnutls:TLS_DHE_RSA_AES_128_GCM_SHA256
0xC0,0x27 openssl:ECDHE-RSA-AES128-SHA256 gnutls:TLS_ECDHE_RSA_AES_128_CBC_SHA256
0xC0,0x23 openssl:ECDHE-ECDSA-AES128-SHA256 gnutls:TLS_ECDHE_ECDSA_AES_128_CBC_SHA256
0xC0,0x13 openssl:ECDHE-RSA-AES128-SHA gnutls:TLS_ECDHE_RSA_AES_128_CBC_SHA1
0xC0,0x09 openssl:ECDHE-ECDSA-AES128-SHA gnutls:TLS_ECDHE_ECDSA_AES_128_CBC_SHA1
0xC0,0x28 openssl:ECDHE-RSA-AES256-SHA384 gnutls:
0xC0,0x24 openssl:ECDHE-ECDSA-AES256-SHA384 gnutls:TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xC0,0x14 openssl:ECDHE-RSA-AES256-SHA gnutls:TLS_ECDHE_RSA_AES_256_CBC_SHA1
0xC0,0x0A openssl:ECDHE-ECDSA-AES256-SHA gnutls:TLS_ECDHE_ECDSA_AES_256_CBC_SHA1
0x00,0x67 openssl:DHE-RSA-AES128-SHA256 gnutls:TLS_DHE_RSA_AES_128_CBC_SHA256
0x00,0x33 openssl:DHE-RSA-AES128-SHA gnutls:TLS_DHE_RSA_AES_128_CBC_SHA1
0x00,0x6B openssl:DHE-RSA-AES256-SHA256 gnutls:TLS_DHE_RSA_AES_256_CBC_SHA256
0x00,0x38 openssl:DHE-DSS-AES256-SHA gnutls:TLS_DHE_DSS_AES_256_CBC_SHA1
0x00,0x9C openssl:AES128-GCM-SHA256 gnutls:TLS_RSA_AES_128_GCM_SHA256
0x00,0x9D openssl:AES256-GCM-SHA384 gnutls:
0xC0,0x11 openssl:ECDHE-RSA-RC4-SHA gnutls:
0xC0,0x07 openssl:ECDHE-ECDSA-RC4-SHA gnutls:
0x00,0x05 openssl:RC4-SHA gnutls:TLS_RSA_ARCFOUR_SHA1
0x00,0x6A openssl:DHE-DSS-AES256-SHA256 gnutls:TLS_DHE_DSS_AES_256_CBC_SHA256
0x00,0x39 openssl:DHE-RSA-AES256-SHA gnutls:TLS_DHE_RSA_AES_256_CBC_SHA1
0x00,0x88 openssl:DHE-RSA-CAMELLIA256-SHA gnutls:TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1
0x00,0x87 openssl:DHE-DSS-CAMELLIA256-SHA gnutls:TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1
0xC0,0x32 openssl:ECDH-RSA-AES256-GCM-SHA384 gnutls:
0xC0,0x2E openssl:ECDH-ECDSA-AES256-GCM-SHA384 gnutls:
0xC0,0x2A openssl:ECDH-RSA-AES256-SHA384 gnutls:
0xC0,0x26 openssl:ECDH-ECDSA-AES256-SHA384 gnutls:
0xC0,0x0F openssl:ECDH-RSA-AES256-SHA gnutls:
0xC0,0x05 openssl:ECDH-ECDSA-AES256-SHA gnutls:
0x00,0x3D openssl:AES256-SHA256 gnutls:TLS_RSA_AES_256_CBC_SHA256
0x00,0x35 openssl:AES256-SHA gnutls:TLS_RSA_AES_256_CBC_SHA1
0x00,0x84 openssl:CAMELLIA256-SHA gnutls:TLS_RSA_CAMELLIA_256_CBC_SHA1
0x00,0x40 openssl:DHE-DSS-AES128-SHA256 gnutls:TLS_DHE_DSS_AES_128_CBC_SHA256
0x00,0x32 openssl:DHE-DSS-AES128-SHA gnutls:TLS_DHE_DSS_AES_128_CBC_SHA1
0x00,0x45 openssl:DHE-RSA-CAMELLIA128-SHA gnutls:TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1
0x00,0x44 openssl:DHE-DSS-CAMELLIA128-SHA gnutls:TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1
0xC0,0x31 openssl:ECDH-RSA-AES128-GCM-SHA256 gnutls:
0xC0,0x2D openssl:ECDH-ECDSA-AES128-GCM-SHA256 gnutls:
0xC0,0x29 openssl:ECDH-RSA-AES128-SHA256 gnutls:
0xC0,0x25 openssl:ECDH-ECDSA-AES128-SHA256 gnutls:
0xC0,0x0E openssl:ECDH-RSA-AES128-SHA gnutls:
0xC0,0x04 openssl:ECDH-ECDSA-AES128-SHA gnutls:
0x00,0x3C openssl:AES128-SHA256 gnutls:TLS_RSA_AES_128_CBC_SHA256
0x00,0x2F openssl:AES128-SHA gnutls:TLS_RSA_AES_128_CBC_SHA1
0x00,0x41 openssl:CAMELLIA128-SHA gnutls:TLS_RSA_CAMELLIA_128_CBC_SHA1

GnuTLS ciphersuite:
TLS_ECDHE_RSA_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_AES_128_GCM_SHA256:TLS_ECDHE_RSA_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_AES_256_GCM_SHA384:TLS_DHE_DSS_AES_128_GCM_SHA256:TLS_DHE_RSA_AES_128_GCM_SHA256:TLS_ECDHE_RSA_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_AES_128_CBC_SHA256:TLS_ECDHE_RSA_AES_128_CBC_SHA1:TLS_ECDHE_ECDSA_AES_128_CBC_SHA1:TLS_ECDHE_ECDSA_AES_256_CBC_SHA384:TLS_ECDHE_RSA_AES_256_CBC_SHA1:TLS_ECDHE_ECDSA_AES_256_CBC_SHA1:TLS_DHE_RSA_AES_128_CBC_SHA256:TLS_DHE_RSA_AES_128_CBC_SHA1:TLS_DHE_RSA_AES_256_CBC_SHA256:TLS_DHE_DSS_AES_256_CBC_SHA1:TLS_RSA_AES_128_GCM_SHA256:TLS_RSA_ARCFOUR_SHA1:TLS_DHE_DSS_AES_256_CBC_SHA256:TLS_DHE_RSA_AES_256_CBC_SHA1:TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1:TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1:TLS_RSA_AES_256_CBC_SHA256:TLS_RSA_AES_256_CBC_SHA1:TLS_RSA_CAMELLIA_256_CBC_SHA1:TLS_DHE_DSS_AES_128_CBC_SHA256:TLS_DHE_DSS_AES_128_CBC_SHA1:TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1:TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1:TLS_RSA_AES_128_CBC_SHA256:TLS_RSA_AES_128_CBC_SHA1:TLS_RSA_CAMELLIA_128_CBC_SHA1

Ciphers known to OpenSSL but not present in GnuTLS
DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA