| MYSQL | IANA | ('NIST', 'Requirement') | ('NIST', 'Preferred #1') | ('NIST', 'Preferred #2') 1 | ('NIST', 'Preferred #3') 2 | ('NIST', 'Condition') 3 | ('BSI', 'Requirement') 4 | ('BSI', 'Preferred #1') | ('BSI', 'Preferred #2') 5 | ('BSI', 'Federal req.') 6 | ('BSI', 'Condition [3]') 7 | ('ANSSI', '') 8 | ('MOZILLA (+AgID)', 'Modern') 9 | ('MOZILLA (+AgID)', 'Intermediate') 10 | ('MOZILLA (+AgID)', 'Old') 11 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x2B | optional | ✓ | ✓ | ✓ | recommended | ✓ | must | THIS or CIPHER TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | recommended | <Not mentioned> | recommended | recommended | ||
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x2C | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | recommended | <Not mentioned> | recommended | recommended | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCC,0xA9 | must not | <Not mentioned> | recommended | <Not mentioned> | recommended | recommended | ||||||||
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM | 0xC0,0xAC | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM | 0xC0,0xAD | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | 0xC0,0xAE | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 | 0xC0,0xAF | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 0xC0,0x23 | optional | ✓ | recommended | ✓ | must | THIS or CIPHER TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | not recommended | <Not mentioned> | <Not mentioned> | recommended | ||||
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0xC0,0x24 | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | recommended | |||||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 0xC0,0x09 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | |||||||
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 0xC0,0x0A | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | |||||||
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x2F | optional | ✓ | ✓ | ✓ | recommended | ✓ | must | THIS or CIPHER TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | recommended | <Not mentioned> | recommended | recommended | ||
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x30 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | recommended | <Not mentioned> | recommended | recommended | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCC,0xA8 | must not | <Not mentioned> | recommended | <Not mentioned> | recommended | recommended | ||||||||
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCC,0xAA | must not | <Not mentioned> | not recommended | <Not mentioned> | recommended | recommended | ||||||||
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 0x00,0x9E | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | recommended | recommended | |||
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 0x00,0x9F | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | recommended | recommended | |||
| TLS_DHE_RSA_WITH_AES_128_CCM | 0xC0,0x9E | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_DHE_RSA_WITH_AES_256_CCM | 0xC0,0x9F | optional | ✓ | ✓ | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||
| TLS_DHE_RSA_WITH_AES_128_CCM_8 | 0xC0,0xA2 | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_DHE_RSA_WITH_AES_256_CCM_8 | 0xC0,0xA3 | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xC0,0x27 | optional | ✓ | recommended | ✓ | must | THIS or CIPHER TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | not recommended | <Not mentioned> | <Not mentioned> | recommended | ||||
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xC0,0x28 | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | recommended | |||||
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 0x00,0x67 | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | recommended | |||||
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 0x00,0x6B | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | recommended | |||||
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 0xC0,0x13 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | |||||||
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 0xC0,0x14 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | |||||||
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 0x00,0x33 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 0x00,0x39 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 0x00,0xA2 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 0x00,0xA3 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 0x00,0x40 | optional | ✓ | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 0x00,0x6A | optional | ✓ | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 0x00,0x32 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 0x00,0x38 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | 0x00,0xA4 | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | 0x00,0xA5 | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | 0x00,0x3E | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | 0x00,0x68 | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DH_DSS_WITH_AES_128_CBC_SHA | 0x00,0x30 | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DH_DSS_WITH_AES_256_CBC_SHA | 0x00,0x36 | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | 0x00,0xA0 | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | 0x00,0xA1 | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | 0x00,0x3F | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | 0x00,0x69 | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DH_RSA_WITH_AES_128_CBC_SHA | 0x00,0x31 | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DH_RSA_WITH_AES_256_CBC_SHA | 0x00,0x37 | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x2D | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x2E | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 0xC0,0x25 | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 0xC0,0x26 | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 0xC0,0x04 | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 0xC0,0x05 | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x31 | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x32 | optional | ✓ | ✓ | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 0xC0,0x29 | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 0xC0,0x2A | optional | recommended | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 0xC0,0x0E | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 0xC0,0x0F | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_AES_128_GCM_SHA256 12 | 0x13,0x01 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | ✓ 13 | recommended 14 | recommended | recommended | recommended | ||
| TLS_AES_256_GCM_SHA384 | 0x13,0x02 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | ✓ | recommended | recommended | recommended | recommended | ||
| TLS_CHACHA20_POLY1305_SHA256 | 0x13,0x03 | must not | <Not mentioned> | recommended | recommended | recommended | recommended | ||||||||
| TLS_AES_128_CCM_SHA256 | 0x13,0x04 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | ✓ | recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||
| TLS_AES_128_CCM_8_SHA256 15 | 0x13,0x05 | optional | ✓ | ✓ | ✓ | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 | 0xC0,0x37 | optional | ✓ | recommended | ✓ | must | NOTE_DISABLED only required if PSK is used | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||
| TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 | 0xC0,0x38 | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | 0xD0,0x01 | must not | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | 0xD0,0x02 | must not | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 | 0xD0,0x05 | must not | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 | 0x00,0xB2 | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 | 0x00,0xB3 | optional | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | 0x00,0xAA | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | 0x00,0xAB | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_DHE_PSK_WITH_AES_128_CCM | 0xC0,0xA6 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_DHE_PSK_WITH_AES_256_CCM | 0xC0,0xA7 | optional | ✓ | ✓ | ✓ | recommended | ✓ | ✓ | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||
| TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 | 0x00,0xB6 | must not | recommended | ✓ | must | NOTE_DISABLED only required if PSK is used | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||
| TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 | 0x00,0xB7 | must not | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 | 0x00,0xAC | must not | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 | 0x00,0xAD | must not | recommended | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_DHE_WITH_AES_128_CCM_8 | 0xC0, 0xAA | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_DHE_WITH_AES_256_CCM_8 | 0xC0, 0xAB | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_WITH_AES_128_GCM_SHA256 | 0x00, 0xA8 | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_WITH_AES_256_GCM_SHA384 | 0x00, 0xA9 | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_WITH_AES_128_CCM | 0xC0, 0xA4 | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_WITH_AES_256_CCM | 0xC0, 0xA5 | optional | ✓ | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||
| TLS_PSK_WITH_AES_128_CCM_8 | 0xC0, 0xA8 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_PSK_WITH_AES_256_CCM_8 | 0xC0, 0xA9 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_PSK_WITH_AES_128_CBC_SHA256 | 0x00, 0xAE | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_PSK_WITH_AES_256_CBC_SHA384 | 0x00, 0xAF | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 0xC0, 0x35 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 0xC0, 0x36 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA | 0x00, 0x90 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA | 0x00, 0x91 | optional | ✓ | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | |||||||
| TLS_PSK_WITH_AES_128_CBC_SHA | 0x00, 0x8C | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_PSK_WITH_AES_256_CBC_SHA | 0x00, 0x8D | optional | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_RSA_WITH_AES_128_CCM | xC0, x9C | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_RSA_WITH_AES_256_CCM | xC0, x9D | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_RSA_WITH_AES_128_CCM_8 | xC0, xA0 | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_RSA_WITH_AES_256_CCM_8 | xC0, xA1 | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_RSA_WITH_AES_128_GCM_SHA256 | x00, x9C | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_RSA_WITH_AES_256_GCM_SHA384 | x00, x9D | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_RSA_WITH_AES_128_CBC_SHA256 | x00, 3C | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_RSA_WITH_AES_256_CBC_SHA256 | x00, 3D | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_RSA_WITH_AES_128_CBC_SHA | x00, x2F | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_RSA_WITH_AES_256_CBC_SHA | x00, x35 | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | 0x00, 0x0A | must not | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | recommended | ||||||||
| TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | 0xC0,0x72 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | 0xC0,0x73 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 0xC0,0x76 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 | 0xC0,0x77 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | 0xC0,0x7C | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | 0xC0,0x7D | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | 0xC0,0x86 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | 0xC0,0x87 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | 0xC0,0x8A | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | 0xC0,0x8B | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 | 0xC0,0x5D | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 | 0xC0,0x5C | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 | 0xC0,0x61 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 | 0xC0,0x60 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 | 0xC0,0x53 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 | 0xC0,0x52 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 | 0xC0,0x49 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 | 0xC0,0x48 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 | 0xC0,0x4D | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 | 0xC0,0x4C | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 | 0xC0,0x45 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 | 0xC0,0x44 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 0x00, 0xBE | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 0x00, 0xC4 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 0xCCAD | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 | 0xC091 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 | 0xC090 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | 0xC09B | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | 0xC09A | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | 0xC097 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | 0xC096 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 | 0xC06D | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 | 0xC06C | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 | 0xC071 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 | 0xC070 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 | 0xC067 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 | 0xC066 | must not | <Not mentioned> | not recommended | <Not mentioned> | <Not mentioned> | <Not mentioned> | ||||||||
| TLS_FALLBACK_SCSV | 0x56,0x00 | must | ✓ | ✓ 16 | ✓ | TLS <= 1.2 AND ! TLS 1.3 AND VERIFY_SCSV | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> | <Not mentioned> |
Footnotes
-
"All cipher suites not explicitly mentioned MUST NOT be used"
800-52r2, Section 3.3.1 ↩
-
Prefer ephemeral keys over static keys
prefer DHE over DH prefer ECDHE over ECDH ↩
-
Prefer GCM or CCM modes over CBC mode ↩
-
Prefer CCM over CCM_8 ↩
-
TR 02102-2 section 3.3.1 ↩
-
Recommended cipher suites for TLS 1.2 with Perfect Forward Secrecy (Table 1)
Perfect Forward Secrecy is generally recommended (footnote 2, page 8) ↩
-
Recommended cipher suites for TLS 1.2 without Perfect Forward Secrecy (Table 2) ↩
-
must support at least one of ↩
-
the [3] is needed to specify which column the conditions should be applied to ↩
-
Les recommandations de la présente section dressent une liste blanche des algorithmes et paramètres cryptographiques souhaitables : tout ce qui n’est pas recommandé est implicitement déconseillé. En particulier, l’usage de la fonction de chiffrement de flux RC4 et des fonctions de hachage MD5 et SHA-1 est à proscrire. ↩
-
Being a list of recommendations:
not mentioned --> not recommended ↩
-
Start of TLS 1.3 cipher suites ↩
-
Section 3.4.4 TR-02102-2 ↩
-
Section 2.3.2 TR-03116-4 ↩
-
End of TLS 1.3 cipher suites ↩
-
if the server supports versions of TLS prior to TLS 1.2 and does not support TLS 1.3. 3.4.2.1 Fallback Signaling Cipher Suite Value (SCSV) ↩