MozillaWiki

Security/Server Side TLS: Difference between revisions

Page Discussion

Security/Server Side TLS (view source)

Revision as of 21:15, 13 November 2013

11,872 bytes added ,  13 November 2013
* Version 2.2: ulfr: Added IANA/OpenSSL/GnuTLS correspondence table
(* Version 2.2: ulfr: Added IANA/OpenSSL/GnuTLS correspondence table)
Line 11: Line 11:
|-  
|-  
|  <span style="color:green;">'''READY'''</span> ||
|  <span style="color:green;">'''READY'''</span> ||
* Version 2.2: ulfr: Added IANA/OpenSSL/GnuTLS correspondence table
* Version 2.1: ulfr: RC4 vs 3DES discussion. r=joes r=tinfoil  
* Version 2.1: ulfr: RC4 vs 3DES discussion. r=joes r=tinfoil  
* Version 2: Public release. r=ulfr r=kang
* Version 2: Public release. r=ulfr r=kang
Line 650: Line 651:


Nginx needs a DNS resolver to obtain the IP address of the OCSP responder.
Nginx needs a DNS resolver to obtain the IP address of the OCSP responder.
== Cipher names correspondence table ==
IANA, OpenSSL and GnuTLS use different naming for the same ciphers. The table below matches some of these ciphers:
{|  class=wikitable
|-
! scope="col" | hex value
! scope="col" | IANA
! scope="col" | OpenSSL
! scope="col" | GnuTLS
|-
! scope=row | 0x00,0x00
| TLS_NULL_WITH_NULL_NULL
|
|
|-
! scope=row | 0x00,0x01
| TLS_RSA_WITH_NULL_MD5
|
|TLS_RSA_NULL_MD5
|-
! scope=row | 0x00,0x02
| TLS_RSA_WITH_NULL_SHA
|
|TLS_RSA_NULL_SHA1
|-
! scope=row | 0x00,0x03
| TLS_RSA_EXPORT_WITH_RC4_40_MD5
| EXP-RC4-MD5
|TLS_RSA_EXPORT_ARCFOUR_40_MD5
|-
! scope=row | 0x00,0x04
| TLS_RSA_WITH_RC4_128_MD5
| RC4-MD5
|TLS_RSA_ARCFOUR_MD5
|-
! scope=row | 0x00,0x05
| TLS_RSA_WITH_RC4_128_SHA
| RC4-SHA
|TLS_RSA_ARCFOUR_SHA1
|-
! scope=row | 0x00,0x06
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
| EXP-RC2-CBC-MD5
|
|-
! scope=row | 0x00,0x07
| TLS_RSA_WITH_IDEA_CBC_SHA
| IDEA-CBC-SHA
|
|-
! scope=row | 0x00,0x08
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
| EXP-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x09
| TLS_RSA_WITH_DES_CBC_SHA
| DES-CBC-SHA
|
|-
! scope=row | 0x00,0x0A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| DES-CBC3-SHA
|TLS_RSA_3DES_EDE_CBC_SHA1
|-
! scope=row | 0x00,0x0B
| TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
|
|
|-
! scope=row | 0x00,0x0C
| TLS_DH_DSS_WITH_DES_CBC_SHA
|
|
|-
! scope=row | 0x00,0x0D
| TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
|
|
|-
! scope=row | 0x00,0x0E
| TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
|
|
|-
! scope=row | 0x00,0x0F
| TLS_DH_RSA_WITH_DES_CBC_SHA
|
|
|-
! scope=row | 0x00,0x10
| TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|-
! scope=row | 0x00,0x11
| TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
| EXP-EDH-DSS-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x12
| TLS_DHE_DSS_WITH_DES_CBC_SHA
| EDH-DSS-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x13
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
| EDH-DSS-DES-CBC3-SHA
|TLS_DHE_DSS_3DES_EDE_CBC_SHA1
|-
! scope=row | 0x00,0x14
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| EXP-EDH-RSA-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x15
| TLS_DHE_RSA_WITH_DES_CBC_SHA
| EDH-RSA-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x16
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| EDH-RSA-DES-CBC3-SHA
|TLS_DHE_RSA_3DES_EDE_CBC_SHA1
|-
! scope=row | 0x00,0x17
| TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
|
|
|-
! scope=row | 0x00,0x18
| TLS_DH_anon_WITH_RC4_128_MD5
|
|TLS_DH_ANON_ARCFOUR_MD5
|-
! scope=row | 0x00,0x19
| TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|
|
|-
! scope=row | 0x00,0x1A
| TLS_DH_anon_WITH_DES_CBC_SHA
|
|
|-
! scope=row | 0x00,0x1B
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
|
|TLS_DH_ANON_3DES_EDE_CBC_SHA1
|-
! scope=row | 0x00,0x1E
| TLS_KRB5_WITH_DES_CBC_SHA
| KRB5-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x1F
| TLS_KRB5_WITH_3DES_EDE_CBC_SHA
| KRB5-DES-CBC3-SHA
|
|-
! scope=row | 0x00,0x20
| TLS_KRB5_WITH_RC4_128_SHA
| KRB5-RC4-SHA
|
|-
! scope=row | 0x00,0x21
| TLS_KRB5_WITH_IDEA_CBC_SHA
| KRB5-IDEA-CBC-SHA
|
|-
! scope=row | 0x00,0x22
| TLS_KRB5_WITH_DES_CBC_MD5
| KRB5-DES-CBC-MD5
|
|-
! scope=row | 0x00,0x23
| TLS_KRB5_WITH_3DES_EDE_CBC_MD5
| KRB5-DES-CBC3-MD5
|
|-
! scope=row | 0x00,0x24
| TLS_KRB5_WITH_RC4_128_MD5
| KRB5-RC4-MD5
|
|-
! scope=row | 0x00,0x25
| TLS_KRB5_WITH_IDEA_CBC_MD5
| KRB5-IDEA-CBC-MD5
|
|-
! scope=row | 0x00,0x26
| TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
| EXP-KRB5-DES-CBC-SHA
|
|-
! scope=row | 0x00,0x27
| TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
| EXP-KRB5-RC2-CBC-SHA
|
|-
! scope=row | 0x00,0x28
| TLS_KRB5_EXPORT_WITH_RC4_40_SHA
| EXP-KRB5-RC4-SHA
|
|-
! scope=row | 0x00,0x29
| TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
| EXP-KRB5-DES-CBC-MD5
|
|-
! scope=row | 0x00,0x2A
| TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
| EXP-KRB5-RC2-CBC-MD5
|
|-
! scope=row | 0x00,0x2B
| TLS_KRB5_EXPORT_WITH_RC4_40_MD5
| EXP-KRB5-RC4-MD5
|
|-
! scope=row | 0x00,0x2C
| TLS_PSK_WITH_NULL_SHA
|
|
|-
! scope=row | 0x00,0x2D
| TLS_DHE_PSK_WITH_NULL_SHA
|
|
|-
! scope=row | 0x00,0x2E
| TLS_RSA_PSK_WITH_NULL_SHA
|
|
|-
! scope=row | 0x00,0x2F
| TLS_RSA_WITH_AES_128_CBC_SHA
| AES128-SHA
|TLS_RSA_AES_128_CBC_SHA1
|-
! scope=row | 0x00,0x30
| TLS_DH_DSS_WITH_AES_128_CBC_SHA
|
|
|-
! scope=row | 0x00,0x31
| TLS_DH_RSA_WITH_AES_128_CBC_SHA
|
|
|-
! scope=row | 0x00,0x32
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA
| DHE-DSS-AES128-SHA
|TLS_DHE_DSS_AES_128_CBC_SHA1
|-
! scope=row | 0x00,0x33
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| DHE-RSA-AES128-SHA
|TLS_DHE_RSA_AES_128_CBC_SHA1
|-
! scope=row | 0x00,0x34
| TLS_DH_anon_WITH_AES_128_CBC_SHA
|
|TLS_DH_ANON_AES_128_CBC_SHA1
|-
! scope=row | 0x00,0x35
| TLS_RSA_WITH_AES_256_CBC_SHA
| AES256-SHA
|TLS_RSA_AES_256_CBC_SHA1
|-
! scope=row | 0x00,0x36
| TLS_DH_DSS_WITH_AES_256_CBC_SHA
|
|
|-
! scope=row | 0x00,0x37
| TLS_DH_RSA_WITH_AES_256_CBC_SHA
|
|
|-
! scope=row | 0x00,0x38
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA
| DHE-DSS-AES256-SHA
|TLS_DHE_DSS_AES_256_CBC_SHA1
|-
! scope=row | 0x00,0x39
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| DHE-RSA-AES256-SHA
|TLS_DHE_RSA_AES_256_CBC_SHA1
|-
! scope=row | 0x00,0x3A
| TLS_DH_anon_WITH_AES_256_CBC_SHA
|
|TLS_DH_ANON_AES_256_CBC_SHA1
|-
! scope=row | 0x00,0x3B
| TLS_RSA_WITH_NULL_SHA256
|
|TLS_RSA_NULL_SHA256
|-
! scope=row | 0x00,0x3C
| TLS_RSA_WITH_AES_128_CBC_SHA256
| AES128-SHA256
|TLS_RSA_AES_128_CBC_SHA256
|-
! scope=row | 0x00,0x3D
| TLS_RSA_WITH_AES_256_CBC_SHA256
| AES256-SHA256
|TLS_RSA_AES_256_CBC_SHA256
|-
! scope=row | 0x00,0x3E
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256
|
|
|-
! scope=row | 0x00,0x3F
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256
|
|
|-
! scope=row | 0x00,0x40
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| DHE-DSS-AES128-SHA256
|TLS_DHE_DSS_AES_128_CBC_SHA256
|-
! scope=row | 0x00,0x41
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| CAMELLIA128-SHA
|TLS_RSA_CAMELLIA_128_CBC_SHA1
|-
! scope=row | 0x00,0x42
| TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
|
|
|-
! scope=row | 0x00,0x43
| TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
|
|
|-
! scope=row | 0x00,0x44
| TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
| DHE-DSS-CAMELLIA128-SHA
|TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1
|-
! scope=row | 0x00,0x45
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| DHE-RSA-CAMELLIA128-SHA
|TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1
|-
! scope=row | 0x00,0x46
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|
|TLS_DH_ANON_CAMELLIA_128_CBC_SHA1
|-
! scope=row | 0x00,0x67
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| DHE-RSA-AES128-SHA256
|TLS_DHE_RSA_AES_128_CBC_SHA256
|-
! scope=row | 0x00,0x68
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256
|
|
|-
! scope=row | 0x00,0x69
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256
|
|
|-
! scope=row | 0x00,0x6A
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| DHE-DSS-AES256-SHA256
|TLS_DHE_DSS_AES_256_CBC_SHA256
|-
! scope=row | 0x00,0x6B
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| DHE-RSA-AES256-SHA256
|TLS_DHE_RSA_AES_256_CBC_SHA256
|-
! scope=row | 0x00,0x6C
| TLS_DH_anon_WITH_AES_128_CBC_SHA256
|
|TLS_DH_ANON_AES_128_CBC_SHA256
|-
! scope=row | 0x00,0x6D
| TLS_DH_anon_WITH_AES_256_CBC_SHA256
|
|TLS_DH_ANON_AES_256_CBC_SHA256
|-
! scope=row | 0x00,0x84
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| CAMELLIA256-SHA
|TLS_RSA_CAMELLIA_256_CBC_SHA1
|-
! scope=row | 0x00,0x85
| TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
|
|
|-
! scope=row | 0x00,0x86
| TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
|
|
|-
! scope=row | 0x00,0x87
| TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
| DHE-DSS-CAMELLIA256-SHA
|TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1
|-
! scope=row | 0x00,0x88
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| DHE-RSA-CAMELLIA256-SHA
|TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1
|-
! scope=row | 0x00,0x89
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
|
|TLS_DH_ANON_CAMELLIA_256_CBC_SHA1
|-
! scope=row | 0x00,0x8A
| TLS_PSK_WITH_RC4_128_SHA
| PSK-RC4-SHA
|TLS_PSK_SHA_ARCFOUR_SHA1
|-
! scope=row | 0x00,0x8B
| TLS_PSK_WITH_3DES_EDE_CBC_SHA
| PSK-3DES-EDE-CBC-SHA
|TLS_PSK_SHA_3DES_EDE_CBC_SHA1
|-
! scope=row | 0x00,0x8C
| TLS_PSK_WITH_AES_128_CBC_SHA
| PSK-AES128-CBC-SHA
|TLS_PSK_SHA_AES_128_CBC_SHA1
|-
! scope=row | 0x00,0x8D
| TLS_PSK_WITH_AES_256_CBC_SHA
| PSK-AES256-CBC-SHA
|TLS_PSK_SHA_AES_256_CBC_SHA1
|-
! scope=row | 0x00,0x8E
| TLS_DHE_PSK_WITH_RC4_128_SHA
|
|TLS_DHE_PSK_SHA_ARCFOUR_SHA1
|-
! scope=row | 0x00,0x8F
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
|TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|-
! scope=row | 0x00,0x90
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA
|
|TLS_DHE_PSK_SHA_AES_128_CBC_SHA1
|-
! scope=row | 0x00,0x91
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA
|
|TLS_DHE_PSK_SHA_AES_256_CBC_SHA1
|-
! scope=row | 0x00,0x92
| TLS_RSA_PSK_WITH_RC4_128_SHA
|
|
|-
! scope=row | 0x00,0x93
| TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
|
|-
! scope=row | 0x00,0x94
| TLS_RSA_PSK_WITH_AES_128_CBC_SHA
|
|
|-
! scope=row | 0x00,0x95
| TLS_RSA_PSK_WITH_AES_256_CBC_SHA
|
|
|-
! scope=row | 0x00,0x96
| TLS_RSA_WITH_SEED_CBC_SHA
| SEED-SHA
|
|-
! scope=row | 0x00,0x97
| TLS_DH_DSS_WITH_SEED_CBC_SHA
|
|
|-
! scope=row | 0x00,0x98
| TLS_DH_RSA_WITH_SEED_CBC_SHA
|
|
|-
! scope=row | 0x00,0x99
| TLS_DHE_DSS_WITH_SEED_CBC_SHA
| DHE-DSS-SEED-SHA
|
|-
! scope=row | 0x00,0x9A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA
| DHE-RSA-SEED-SHA
|
|-
! scope=row | 0x00,0x9B
| TLS_DH_anon_WITH_SEED_CBC_SHA
|
|
|-
! scope=row | 0x00,0x9C
| TLS_RSA_WITH_AES_128_GCM_SHA256
| AES128-GCM-SHA256
|TLS_RSA_AES_128_GCM_SHA256
|-
! scope=row | 0x00,0x9D
| TLS_RSA_WITH_AES_256_GCM_SHA384
| AES256-GCM-SHA384
|
|-
! scope=row | 0x00,0x9E
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| DHE-RSA-AES128-GCM-SHA256
|TLS_DHE_RSA_AES_128_GCM_SHA256
|-
! scope=row | 0x00,0x9F
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| DHE-RSA-AES256-GCM-SHA384
|
|-
! scope=row | 0x00,0xA0
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256
|
|
|-
! scope=row | 0x00,0xA1
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384
|
|
|-
! scope=row | 0x00,0xA2
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| DHE-DSS-AES128-GCM-SHA256
|TLS_DHE_DSS_AES_128_GCM_SHA256
|-
! scope=row | 0x00,0xA3
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| DHE-DSS-AES256-GCM-SHA384
|
|-
! scope=row | 0x00,0xA4
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256
|
|
|-
! scope=row | 0x00,0xA5
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384
|
|
|-
! scope=row | 0x00,0xA6
| TLS_DH_anon_WITH_AES_128_GCM_SHA256
|
|TLS_DH_ANON_AES_128_GCM_SHA256
|-
! scope=row | 0x00,0xA7
| TLS_DH_anon_WITH_AES_256_GCM_SHA384
|
|
|-
! scope=row | 0x00,0xA8
| TLS_PSK_WITH_AES_128_GCM_SHA256
|
|TLS_PSK_AES_128_GCM_SHA256
|-
! scope=row | 0x00,0xA9
| TLS_PSK_WITH_AES_256_GCM_SHA384
|
|TLS_PSK_WITH_AES_256_GCM_SHA384
|-
! scope=row | 0x00,0xAA
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
|
|TLS_DHE_PSK_AES_128_GCM_SHA256
|-
! scope=row | 0x00,0xAB
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
|
|TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
|-
! scope=row | 0x00,0xAC
| TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
|
|
|-
! scope=row | 0x00,0xAD
| TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
|
|
|-
! scope=row | 0x00,0xAE
| TLS_PSK_WITH_AES_128_CBC_SHA256
|
|TLS_PSK_AES_128_CBC_SHA256
|-
! scope=row | 0x00,0xAF
| TLS_PSK_WITH_AES_256_CBC_SHA384
|
|
|-
! scope=row | 0x00,0xB0
| TLS_PSK_WITH_NULL_SHA256
|
|TLS_PSK_NULL_SHA256
|-
! scope=row | 0x00,0xB1
| TLS_PSK_WITH_NULL_SHA384
|
|
|-
! scope=row | 0x00,0xB2
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
|
|TLS_DHE_PSK_AES_128_CBC_SHA256
|-
! scope=row | 0x00,0xB3
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
|
|
|-
! scope=row | 0x00,0xB4
| TLS_DHE_PSK_WITH_NULL_SHA256
|
|TLS_DHE_PSK_NULL_SHA256
|-
! scope=row | 0x00,0xB5
| TLS_DHE_PSK_WITH_NULL_SHA384
|
|
|-
! scope=row | 0x00,0xB6
| TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
|
|
|-
! scope=row | 0x00,0xB7
| TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
|
|
|-
! scope=row | 0x00,0xB8
| TLS_RSA_PSK_WITH_NULL_SHA256
|
|
|-
! scope=row | 0x00,0xB9
| TLS_RSA_PSK_WITH_NULL_SHA384
|
|
|-
! scope=row | 0x00,0xBA
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
|
|-
! scope=row | 0x00,0xBB
| TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
|
|
|-
! scope=row | 0x00,0xBC
| TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
|
|-
! scope=row | 0x00,0xBD
| TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
|
|
|}
The table above was generated with the script at https://github.com/jvehent/tlsnames
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/760996"