The specification consists of one or more cipher mnemonics which are separated by a colon (:).
A cipher mnemonic can take the following forms:
A cipher mnemonic can consist of a single cipher suite such as DHE-RSA-AES256-SHA256.
A cipher mnemonic can represent:
a list of cipher suites which contain a particular algorithm
cipher suites of a particular type
For example, SHA256 represents all cipher suites which use the digest algorithm SHA256, and SSLv3 represents all SSL Version-3 algorithms.
Lists of cipher suites can be combined to form a single cipher mnemonic with the aid of the “+” character. This is then interpreted as a logical AND operation. Thus SHA256+AES represents all cipher suites which contain the SHA256 and AES algorithms.
Each cipher mnemonic can optionally be prefixed by one of the characters “!”, “-” or “+”:
If the prefix is “!”, the relevant cipher suites are permanently deleted from the preference list. Subsequently these no longer appear in the preference list even when they are specified explicitly.
If the prefix is “-”, the relevant cipher suites are deleted from the preference list, but some or all of them can be added again by means of subsequent options.
If the prefix is “+”, the relevant cipher suites are moved to the end of the preference list. This means that no cipher suites are added to the preference list, but only existing ones moved.
If none of the three characters “!”, “-” or “+” is prefixed, the cipher mnemonic is interpreted as a list of cipher suites which is appended to the current preference list. If this includes a cipher suite which is already contained in the current preference list, it is ignored. It is not moved to the end of the preference list.
The cipher mnemonic @STRENGTH can be added at any position in order to sort the current preference list according to the length of the encryption key.
Permissible cipher mnemonics
The permissible cipher mnemonics are described below.
ALL
All cipher suites. Currently all contained suites belong to class HIGH.
HIGH
Cipher suites with key lengths greater than 128 bits and some with key length 128.
MEDIUM
Cipher suites with a key length of 128 bits or cipher suites downgraded due to other reasons. Currently no supported suites belong to this class.
kRSA, RSA
Cipher suites with RSA key exchange.
aRSA
Cipher suites with RSA authentication, in other words the certificates contain RSA keys.
aDSS, DSS
Cipher suites with DSS authentication, in other words the certificates contain DSS keys.
TLSv1.2, TLSv1.0, SSLv3
TLSv1.2, TLSv1.0 or SSLv3 cipher suites.
Note: There exist no TLSv1.1.specific cipher suites.
DH
Cipher suites with Diffie-Hellman key exchange, including anonymous exchange.
ADH
Cipher suites with anonymous Diffie-Hellman key exchange.
kEDH, kDHE
Cipher suites with ephemeral Diffie-Hellmann key negotiation including anonymous suites.
kEECDH, kECDHE
Cipher suites with ephemeral Elliptic Curve Diffie-Hellmann key negotiation including anonymous suites.
EECDH, ECDHE
Cipher suites with ephemeral Elliptic Curve Diffie-Hellmann key negotiation without anonymous suites.
AECDH
Anonymous Cipher suites with Elliptic Curve Diffie-Hellmann key negotiation.
ECDH
Cipher suites with Elliptic Curve Diffie-Hellmann key negotiation including anonymous, ephemeral and fixed ECDH.
aECDSA
Cipher suites using ECDSA authentication, in other words, the certificates contain ECDSA keys.
AES128, AES256, AES
Cipher suites with AES encryption (key length of 128 or 256 bits or one of them).
AESCCM
Cipher suites using AES with "Counter with CBC-MAC (CCM)" mode. These cipher suites are only supported by TLSv1.2.
AESGCM
Cipher suites using AES in "Galois Counter Mode (GCM)". These cipher suites are only supported by TLSv1.2.
CHACHA20
Cipher suites with ChaCha20 encryption.
ARIA
Cipher suites with ARIA encryption.
CAMELLIA128, CAMELLIA256, CAMELLIA
Cipher suites that use 128 bit Camellia, 256 bit Camellia or either 128 or 256 bit Camellia.
SHA1, SHA
Cipher suites with SHA1 hash function.
As it is just a matter of time until feasible attacks on SHA1 appear, you should switch as soon as possible to cipher suites that use the hash functions SHA256 or SHA384, for example.
SHA256, SHA384
Cipher suites using the SHA256 and SHA384 hash function respectively for the MAC (message authentication code) computation. In the case of cipher suites using AESGCM and hence AEAD (Authenticated Encryption with Associated Data) as the MAC method, the SHA256 and SHA384 respectively in the name has a different meaning.
The selecting effect of a preference list specification can be checked with the SHOW.CIPHERLIST procedure (see "SHOW.CIPHERLIST procedure").
The cipher suites available with TLS 1.2 are listed in the table below (where suites with the encryption methods ARIA, Camellia and SEED and suites without authentication or without encryption are left out, because they play only a small role in practice).
Name | ID | Version | Key | Authen- | Encryption | Digest |
ECDHE-ECDSA-AES256-GCM-SHA384 | 0xC0,0x2C | TLSv1.2 | ECDH | ECDSA | AESGCM(256) | AEAD |
ECDHE-RSA-AES256-GCM-SHA384 | 0xC0,0x30 | TLSv1.2 | ECDH | RSA | AESGCM(256) | AEAD |
DHE-DSS-AES256-GCM-SHA384 | 0x00,0xA3 | TLSv1.2 | DH | DSS | AESGCM(256) | AEAD |
DHE-RSA-AES256-GCM-SHA384 | 0x00,0x9F | TLSv1.2 | DH | RSA | AESGCM(256) | AEAD |
ECDHE-ECDSA-CHACHA20-POLY1305 | 0xCC,0xA9 | TLSv1.2 | ECDH | ECDSA | CHACHA20/ POLY1305(256) | AEAD |
ECDHE-RSA-CHACHA20-POLY1305 | 0xCC,0xA8 | TLSv1.2 | ECDH | RSA | CHACHA20/ POLY1305(256) | AEAD |
DHE-RSA-CHACHA20-POLY1305 | 0xCC,0xAA | TLSv1.2 | DH | RSA | CHACHA20/ POLY1305(256) | AEAD |
ECDHE-ECDSA-AES256-CCM8 | 0xC0,0xAF | TLSv1.2 | ECDH | ECDSA | AESCCM8(256) | AEAD |
ECDHE-ECDSA-AES256-CCM | 0xC0,0xAD | TLSv1.2 | ECDH | ECDSA | AESCCM(256) | AEAD |
DHE-RSA-AES256-CCM8 | 0xC0,0xA3 | TLSv1.2 | DH | RSA | AESCCM8(256) | AEAD |
DHE-RSA-AES256-CCM | 0xC0,0x9F | TLSv1.2 | DH | RSA | AESCCM(256) | AEAD |
ECDHE-ECDSA-AES128-GCM-SHA256 | 0xC0,0x2B | TLSv1.2 | ECDH | ECDSA | AESGCM(128) | AEAD |
ECDHE-RSA-AES128-GCM-SHA256 | 0xC0,0x2F | TLSv1.2 | ECDH | RSA | AESGCM(128) | AEAD |
DHE-DSS-AES128-GCM-SHA256 | 0x00,0xA2 | TLSv1.2 | DH | DSS | AESGCM(128) | AEAD |
DHE-RSA-AES128-GCM-SHA256 | 0x00,0x9E | TLSv1.2 | DH | RSA | AESGCM(128) | AEAD |
ECDHE-ECDSA-AES128-CCM8 | 0xC0,0xAE | TLSv1.2 | ECDH | ECDSA | AESCCM8(128) | AEAD |
ECDHE-ECDSA-AES128-CCM | 0xC0,0xAC | TLSv1.2 | ECDH | ECDSA | AESCCM(128) | AEAD |
DHE-RSA-AES128-CCM8 | 0xC0,0xA2 | TLSv1.2 | DH | RSA | AESCCM8(128) | AEAD |
DHE-RSA-AES128-CCM | 0xC0,0x9E | TLSv1.2 | DH | RSA | AESCCM(128) | AEAD |
ECDHE-ECDSA-AES256-SHA384 | 0xC0,0x24 | TLSv1.2 | ECDH | ECDSA | AES(256) | SHA384 |
ECDHE-RSA-AES256-SHA384 | 0xC0,0x28 | TLSv1.2 | ECDH | RSA | AES(256) | SHA384 |
DHE-RSA-AES256-SHA256 | 0x00,0x6B | TLSv1.2 | DH | RSA | AES(256) | SHA256 |
DHE-DSS-AES256-SHA256 | 0x00,0x6A | TLSv1.2 | DH | DSS | AES(256) | SHA256 |
ECDHE-ECDSA-AES128-SHA256 | 0xC0,0x23 | TLSv1.2 | ECDH | ECDSA | AES(128) | SHA256 |
ECDHE-RSA-AES128-SHA256 | 0xC0,0x27 | TLSv1.2 | ECDH | RSA | AES(128) | SHA256 |
DHE-RSA-AES128-SHA256 | 0x00,0x67 | TLSv1.2 | DH | RSA | AES(128) | SHA256 |
DHE-DSS-AES128-SHA256 | 0x00,0x40 | TLSv1.2 | DH | DSS | AES(128) | SHA256 |
ECDHE-ECDSA-AES256-SHA | 0xC0,0x0A | TLSv1 | ECDH | ECDSA | AES(256) | SHA1 |
ECDHE-RSA-AES256-SHA | 0xC0,0x14 | TLSv1 | ECDH | RSA | AES(256) | SHA1 |
DHE-RSA-AES256-SHA | 0x00,0x39 | SSLv3 | DH | RSA | AES(256) | SHA1 |
DHE-DSS-AES256-SHA | 0x00,0x38 | SSLv3 | DH | DSS | AES(256) | SHA1 |
ECDHE-ECDSA-AES128-SHA | 0xC0,0x09 | TLSv1 | ECDH | ECDSA | AES(128) | SHA1 |
ECDHE-RSA-AES128-SHA | 0xC0,0x13 | TLSv1 | ECDH | RSA | AES(128) | SHA1 |
DHE-RSA-AES128-SHA | 0x00,0x33 | SSLv3 | DH | RSA | AES(128) | SHA1 |
DHE-DSS-AES128-SHA | 0x00,0x32 | SSLv3 | DH | DSS | AES(128) | SHA1 |
AES256-GCM-SHA384 | 0x00,0x9D | TLSv1.2 | RSA | RSA | AESGCM(256) | AEAD |
AES256-CCM8 | 0xC0,0xA1 | TLSv1.2 | RSA | RSA | AESCCM8(256) | AEAD |
AES256-CCM | 0xC0,0x9D | TLSv1.2 | RSA | RSA | AESCCM(256) | AEAD |
AES128-GCM-SHA256 | 0x00,0x9C | TLSv1.2 | RSA | RSA | AESGCM(128) | AEAD |
AES128-CCM8 | 0xC0,0xA0 | TLSv1.2 | RSA | RSA | AESCCM8(128) | AEAD |
AES128-CCM | 0xC0,0x9C | TLSv1.2 | RSA | RSA | AESCCM(128) | AEAD |
AES256-SHA256 | 0x00,0x3D | TLSv1.2 | RSA | RSA | AES(256) | SHA256 |
AES128-SHA256 | 0x00,0x3C | TLSv1.2 | RSA | RSA | AES(128) | SHA256 |
AES256-SHA | 0x00,0x35 | SSLv3 | RSA | RSA | AES(256) | SHA1 |
AES128-SHA | 0x00,0x2F | SSLv3 | RSA | RSA | AES(128) | SHA1 |
Available cipher suites for usage with TLSv1.2