TLS Cipher String Cheat Sheet



Last revision (mm/dd/yy): //

= Introduction =

This article is focused on providing clear and simple examples for the cipher string. They are based on different scenarios where you use the Transport Layer Security (TLS) protocol.

=Recommendations for a cipher string= The cipher strings are based on the recommendation to setup your policy to get a whitelist for yours ciphers as described in the Transport Layer Protection Cheat Sheet (Rule - Only Support Strong Cryptographic Ciphers). The recommened cipher strings are based on the different scenarios:
 * OWASP Cipher String 'A+' (Advanced+, limited compatibility, e.g. to more recent browser versions)
 * Recommended if you control the server and the clients (e.g. by approvement) and if you check the compatibility before using it
 * Includes solely the strongest perfect forward secrecy (PFS) ciphers
 * Protocol: TLSv1.2 (and above)


 * OWASP Cipher String 'A' (Advanced, wider compatibility, e.g. to most newer browser versions)
 * Recommended if you control the server and the clients (e.g. by approvement) if the 'A+' string does not work, make sure to check the compatibility before using it
 * includes solely the stronger PFS ciphers
 * Protocol: TLSv1.2 (and above)


 * OWASP Cipher String 'B' (Broad compatibility)
 * Recommended if you solely control the server and the clients use their browsers
 * Includes solely PFS ciphers
 * Be aware of additional risks and of new vulnerabilities that may appear are more likely than above
 * Plan to phase out SHA-1 and TLSv1/TLSv1.1 for https in middle-term
 * Protocol: TLSv1.0/better TLSv1.1 (and above)


 * OWASP Cipher String 'C' (Widest Compatibility, compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS)
 * You may use this if you solely control the server and your clients use elder browsers and other elder libraries or if you use other protocols than https
 * Be aware of the existing risks and of new vulnerabilities that may appear more likely
 * PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
 * Plan to move to 'A' for https or at least 'B' otherwise in middle-term
 * Protocol: TLSv1.0 (and above)


 * OWASP Cipher String 'C-' (Legacy, widest compatibility to real old browsers and legacy libraries and other application protocols like SMTP)
 * Take care, use this cipher string only if you are forced to support DES (=TLS_RSA_WITH_3DES_EDE_CBC_SHA, =DES-CBC3-SHA) for real old clients with very old libraries or old libraries for other protocols besides https
 * Be aware of the existing risks (e.g. ciphers without PFS or with 3DES) and of new vulnerabilities that may appear the most likely
 * PFS ciphers are preferred, except DHE with SHA-1 (to prevent possible incompatibility issues)
 * plan to move at leastr to 'C' in a short-term
 * Protocol: TLSv1.0 (and above)


 * Table of the ciphers (and their priority)
 * {| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: center; font-size:84%;"

! style="text-align:left;" |Cipher-Name: IANA, [openssl] ! style="width: 8%;" | Cipher-Hex-Wert ! style="width:11%;" | Advanced+ (A+) ! style="width:11%;" | Advanced (A) ! style="width:11%;" | Broad Compatibility (B) ! style="width:11%;" | Widest Compatibility (C) ! style="width:11%;" | Legacy (C-)
 * - style="font-size: 119%; background-color:#DCDCDC;"
 * - style="background-color:#B9FFC5;"


 * style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,  [DHE-RSA-AES256-GCM-SHA384]   || 0x009f   ||  1 ||  1 ||  1 ||  1 ||  1
 * - style="background-color:#B9FFC5;"
 * style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,  [DHE-RSA-AES128-GCM-SHA256]   || 0x009e   ||  2 ||  2 ||  2 ||  2 ||  2
 * - style="background-color:#B9FFC5;"
 * style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, [ECDHE-RSA-AES256-GCM-SHA384] || 0xc030  ||  3 ||  3 ||  3 ||  3 ||  3
 * - style="background-color:#B9FFC5;"
 * style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, [ECDHE-RSA-AES128-GCM-SHA256] || 0xc02f  ||  4 ||  4 ||  4 ||  4 ||  4
 * - style="background-color:#E3FFE3;"
 * style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,  [DHE-RSA-AES256-SHA256]       || 0x006b   ||    ||  5 ||  5 ||  5 ||  5
 * - style="background-color:#E3FFE3;"
 * style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,  [DHE-RSA-AES128-SHA256]       || 0x0067   ||    ||  6 ||  6 ||  6 ||  6
 * - style="background-color:#E3FFE3;"
 * style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, [ECDHE-RSA-AES256-SHA384]    || 0xc028   ||    ||  7 ||  7 ||  7 ||  7
 * - style="background-color:#E3FFE3;"
 * style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, [ECDHE-RSA-AES128-SHA256]    || 0xc027   ||    ||  8 ||  8 ||  8 ||  8
 * style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,   [ECDHE-RSA-AES256-SHA]        || 0xc014   ||    ||    ||  9 ||  9 ||  9
 * style="text-align:left" | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,   [ECDHE-RSA-AES128-SHA]        || 0xc013   ||    ||    || 10 || 10 || 10
 * - style="background-color:#F4F6F8;"
 * style="text-align:left" | TLS_RSA_WITH_AES_256_GCM_SHA384,      [AES256-GCM-SHA384]           || 0x009d   ||    ||    ||    || 11 || 11
 * - style="background-color:#F4F6F8;"
 * style="text-align:left" | TLS_RSA_WITH_AES_128_GCM_SHA256,      [AES128-GCM-SHA256]           || 0x009c   ||    ||    ||    || 12 || 12
 * - style="background-color:#F4F6F8;"
 * style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA256,      [AES256-SHA256]               || 0x003d   ||    ||    ||    || 13 || 13
 * - style="background-color:#F4F6F8;"
 * style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA256,      [AES128-SHA256]               || 0x003c   ||    ||    ||    || 14 || 14
 * - style="background-color:#F4F6F8;"
 * style="text-align:left" | TLS_RSA_WITH_AES_256_CBC_SHA,         [AES256-SHA]                  || 0x0035   ||    ||    ||    || 15 || 15
 * - style="background-color:#F4F6F8;"
 * style="text-align:left" | TLS_RSA_WITH_AES_128_CBC_SHA,         [AES128-SHA]                  || 0x002f   ||    ||    ||    || 16 || 16
 * - style="background-color:#FFFF88;"
 * style="text-align:left" | TLS_RSA_WITH_3DES_EDE_CBC_SHA,        [DES-CBC3-SHA]                || 0x000a   ||    ||    ||    ||    || 17
 * style="text-align:left" | TLS_DHE_RSA_WITH_AES_256_CBC_SHA,     [DHE-RSA-AES256-SHA]          || 0x0039   ||    ||    || 11 || 17 || 18
 * style="text-align:left" | TLS_DHE_RSA_WITH_AES_128_CBC_SHA,     [DHE-RSA-AES128-SHA]          || 0x0033   ||    ||    || 12 || 18 || 19
 * }
 * Anmerkungen: - Die Nummer gibt die Position der jeweiligen Priorisierung an - Da ältere Internet-Explorer- und Java-Versionen keine Diffie-Hellman-Parameter >1024 bit unterstützen wurden die Verfahren 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' und 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' am Ende angeordnet, um Inkompatibilitäten mit Altversionen zu vermeiden; Alternative: Diese Verfahren ganz weglassen.
 * Beispiel-Cipher-Strings für OpenSSL:
 * {| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: left; font-size:84%;"
 * }
 * Anmerkungen: - Die Nummer gibt die Position der jeweiligen Priorisierung an - Da ältere Internet-Explorer- und Java-Versionen keine Diffie-Hellman-Parameter >1024 bit unterstützen wurden die Verfahren 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' und 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' am Ende angeordnet, um Inkompatibilitäten mit Altversionen zu vermeiden; Alternative: Diese Verfahren ganz weglassen.
 * Beispiel-Cipher-Strings für OpenSSL:
 * {| border="1" cellspacing="1" cellpadding="1" style="border-collapse:collapse; text-align: left; font-size:84%;"

!Cipher-String            || OpennSSL-Syntax
 * - style="font-size: 119%; background-color:#EAECF0;"
 * - style="background-color:#B9FFC5;"
 * style="font-size: 119%;"| Advanced+ (A+)          || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
 * - style="background-color:#E3FFE3;"
 * style="font-size: 119%;"| Advanced (A)            || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
 * style="font-size: 119%;"| Broad Compatibility (B) || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 * - style="background-color:#F4F6F8;"
 * style="font-size: 119%;"| Widest Compatibility (C) || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 * - style="background-color:#FFFF88;"
 * style="font-size: 119%;"| Legacy (C-)             || DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 * }
 * TLS/SSL-Konfiguration des Webservers härten:
 * nur sichere Server-initiierte Renegotiation
 * keine Komprimierung
 * Einstellungen aller virtuellen Server (virtualHosts) prüfen
 * Bei Einsatz von Server Name Indication (SNI), prüfen, welcher Server der Default-Server ist. Alte Browser bzw. Betriebssysteme, ohne SNI-Unterstützung erreichen nur diesen!
 * Prüfen der, von der installierten OpenSSL-Version unterstützten Cipher
 * Reduktion der SSL-Extensions auf das notwendige Maß, z.B. Deaktivieren von Heart-Beat (vgl Heartbleed), kein Aktivieren von unsicheren Extension-DRAFTS wie z.B. Additional random, Opaque PRF Input (vgl. DualECTLS)
 * Reduktion der SSL-Extensions auf das notwendige Maß, z.B. Deaktivieren von Heart-Beat (vgl Heartbleed), kein Aktivieren von unsicheren Extension-DRAFTS wie z.B. Additional random, Opaque PRF Input (vgl. DualECTLS)


 * Konfigurations-Beispiel für Apache inkl. Cipher String 'A':

SSLProtocol +TLSv1.2                 # for Cipher-String 'A+', 'A' SSLCompression off SSLHonorCipherOrder on SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
 * 1) SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 # for Cipher-String 'B', 'C', 'C-'
 * 1) optional kann ':!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' ergänzt werden.

Anmerkungen: - Der Cipher-String mit den SSL-Cipher-Suites wurde als Whitelist formuliert, um die serverseitige Kompatibilität mit alten Versionen von OpenSSL zu erhöhen. - Überwachen Sie die Performance Ihres Servers, der Verbindungsaufbau mit DHE ist ca. 2,4 Mal CPU-intensiver als mit ECDHE (vgl [Vincent Bernat, 2011 ], [nmav's Blog, 2011 ])


 * Prüfen der Cipher-Einstellungen mittels openssl, z.B. Cipher-String 'A':

openssl ciphers -V "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384  TLSv1.2 Kx=DH     Au=RSA  Enc=AESGCM(256) Mac=AEAD 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256  TLSv1.2 Kx=DH     Au=RSA  Enc=AESGCM(128) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH  Au=RSA  Enc=AESGCM(256) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH  Au=RSA  Enc=AESGCM(128) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256      TLSv1.2 Kx=DH     Au=RSA  Enc=AES(256)    Mac=SHA256 0x00,0x67 - DHE-RSA-AES128-SHA256      TLSv1.2 Kx=DH     Au=RSA  Enc=AES(128)    Mac=SHA256 0xC0,0x28 - ECDHE-RSA-AES256-SHA384    TLSv1.2 Kx=ECDH   Au=RSA  Enc=AES(256)    Mac=SHA384 0xC0,0x27 - ECDHE-RSA-AES128-SHA256    TLSv1.2 Kx=ECDH   Au=RSA  Enc=AES(128)    Mac=SHA256
 * 1) add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL
 * 2) use openssl ciphers -v "..." for openssl < 1.0.1:

CAUTION: You need a newer version of OpenSSL to use this cipher string!

=Related Articles=


 * "Transport Layer Protection Cheat Sheet" - Transport Layer Protection Cheat Sheet

= Authors and Primary Editors =