Internet-Draft | Deprecating RSA and FFDH(E) | February 2022 |
Bartle & Aviram | Expires 29 August 2022 | [Page] |
This document makes several prescriptions regarding the following key exchange methods in TLS, most of which have been superseded by better options:¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 August 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
TLS supports a variety of key exchange algorithms, including RSA, Diffie Hellman over a finite field, and elliptic curve Diffie Hellman (ECDH).¶
Diffie Hellman key exchange, over any group, comes in ephemeral and non-ephemeral varieties. Non-ephemeral DH algorithms use static DH public keys included in the authenticating peer's certificate; see [RFC4492] for discussion. In contrast, ephemeral DH algorithms use ephemeral DH public keys sent in the handshake and authenticated by the peer's certificate. Ephemeral and non-ephemeral finite field DH algorithms are called DHE and DH (or FFDHE and FFDH), respectively, and ephemeral and non-ephemeral elliptic curve DH algorithms are called ECDHE and ECDH, respectively [RFC4492].¶
In general, non-ephemeral cipher suites are not recommended due to their lack of forward secrecy. However, as demonstrated by the [Raccoon] attack on finite-field DH, public key reuse, either via non-ephemeral cipher suites or reused keys with ephemeral cipher suites, can lead to timing side channels that may leak connection secrets. For elliptic curve DH, invalid curve attacks similarly exploit secret reuse in order to break security [ICA], further demonstrating the risk of reusing public keys. While both side channels can be avoided in implementations, experience shows that in practice, implementations may fail to thwart such attacks due to the complexity and number of the required mitigations.¶
Additionally, RSA key exchange suffers from security problems that are independent of implementation choices as well as problems that stem purely from the difficulty of implementing security countermeasures correctly.¶
At a rough glance, the problems affecting FFDHE are as follows:¶
The problems affecting RSA key exchange are as follows:¶
Given these problems, this document updates [RFC4346], [RFC5246], [RFC4162], [RFC6347], [RFC5932], [RFC5288], [RFC6209], [RFC6367], [RFC8422], [RFC5289], and [RFC5469] to deprecate cipher suites with key reuse.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Clients MUST NOT offer non-ephemeral FFDH cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996] and TLS 1.3 does not support FFDH [RFC8446].) This includes all cipher suites listed in the table in Appendix A.¶
Clients SHOULD NOT offer non-ephemeral ECDH cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996] and TLS 1.3 does not support ECDH [RFC8446].) This includes all cipher suites listed in the table in Appendix B.¶
Clients and servers MAY offer fully ephemeral FFDHE cipher suites in TLS 1.2 connections under the following conditions:¶
(Note that TLS 1.0 and 1.1 are deprecated by [RFC8996]. TLS 1.3 satisfies the second point above [RFC8446] and is not vulnerable to the [Raccoon] Attack.)¶
We note that, previously, supporting the broadest range of clients would have required supporting either RSA key exchange or 1024-bit FFDHE. This is no longer the case, and it is possible to support most clients released since circa 2015 using 2048-bit FFDHE or more modern key exchange methods, and without RSA key exchange [server_side_tls].¶
All the cipher suites that do not meet the above requirements are listed in the table in Appendix C.¶
Clients and servers MUST NOT offer RSA cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and TLS 1.3 does not support static RSA [RFC8446].) This includes all cipher suites listed in the table in Appendix D. Note that these cipher suites are already marked as not recommended in the "TLS Cipher Suites" registry.¶
This document makes no requests to IANA. Note that all cipher suites listed in Section 4 and in Section 2 are already marked as not recommended in the "TLS Cipher Suites" registry.¶
Non-ephemeral finite field DH cipher suites (TLS_DH_*), as well as ephemeral key reuse for finite field DH cipher suites, are prohibited due to the [Raccoon] attack. Both are already considered bad practice since they do not provide forward secrecy. However, Raccoon revealed that timing side channels in processing TLS premaster secrets may be exploited to reveal the encrypted premaster secret.¶
As for non-ephemeral elliptic curve DH cipher suites, forgoing forward secrecy not only allows retroactive decryption in the event of key compromise but may also enable a broad category of attacks where the attacker exploits key reuse to repeatedly query a cryptographic secret.¶
This category includes, but is not necessarily limited to, the following examples:¶
Such attacks are often implementation-dependent, including the above examples. However, these examples demonstrate that building a system that reuses keys and avoids this category of attacks is difficult in practice. In contrast, avoiding key reuse not only prevents decryption in the event of key compromise, but also precludes this category of attacks altogether. Therefore, this document discourages the reuse of elliptic curve DH public keys.¶
This document was inspired by discussions on the TLS WG mailing list and a suggestion by Filippo Valsorda following the release of the [Raccoon] attack. Thanks to Christopher A. Wood for writing up the initial draft of this document.¶
Ciphersuite | Reference |
---|---|
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
TLS_DH_DSS_WITH_DES_CBC_SHA | [RFC5469] |
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
TLS_DH_RSA_WITH_DES_CBC_SHA | [RFC5469] |
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | [RFC4346][RFC6347] |
TLS_DH_anon_WITH_RC4_128_MD5 | [RFC5246][RFC6347] |
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
TLS_DH_anon_WITH_DES_CBC_SHA | [RFC5469] |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
TLS_DH_DSS_WITH_AES_128_CBC_SHA | [RFC5246] |
TLS_DH_RSA_WITH_AES_128_CBC_SHA | [RFC5246] |
TLS_DH_anon_WITH_AES_128_CBC_SHA | [RFC5246] |
TLS_DH_DSS_WITH_AES_256_CBC_SHA | [RFC5246] |
TLS_DH_RSA_WITH_AES_256_CBC_SHA | [RFC5246] |
TLS_DH_anon_WITH_AES_256_CBC_SHA | [RFC5246] |
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | [RFC5246] |
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5246] |
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | [RFC5246] |
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | [RFC5246] |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | [RFC5246] |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | [RFC5246] |
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
TLS_DH_DSS_WITH_SEED_CBC_SHA | [RFC4162] |
TLS_DH_RSA_WITH_SEED_CBC_SHA | [RFC4162] |
TLS_DH_anon_WITH_SEED_CBC_SHA | [RFC4162] |
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5288] |
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5288] |
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | [RFC5288] |
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | [RFC5288] |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | [RFC5288] |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | [RFC5288] |
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
Ciphersuite | Reference |
---|---|
TLS_ECDH_ECDSA_WITH_NULL_SHA | [RFC8422] |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | [RFC8422] |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | [RFC8422] |
TLS_ECDH_RSA_WITH_NULL_SHA | [RFC8422] |
TLS_ECDH_RSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | [RFC8422] |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | [RFC8422] |
TLS_ECDH_anon_WITH_NULL_SHA | [RFC8422] |
TLS_ECDH_anon_WITH_RC4_128_SHA | [RFC8422][RFC6347] |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | [RFC8422] |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | [RFC8422] |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | [RFC8422] |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | [RFC5289] |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | [RFC5289] |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5289] |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | [RFC5289] |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | [RFC5289] |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | [RFC5289] |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5289] |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5289] |
TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] |
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] |
TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] |
TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] |
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
Ciphersuite | Reference |
---|---|
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
TLS_DHE_DSS_WITH_DES_CBC_SHA | [RFC5469][SC-tls-des-idea-ciphers-to-historic] |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
TLS_DHE_RSA_WITH_DES_CBC_SHA | [RFC5469][SC-tls-des-idea-ciphers-to-historic] |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
TLS_DHE_PSK_WITH_NULL_SHA | [RFC4785] |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | [RFC5246] |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | [RFC5246] |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | [RFC5246] |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | [RFC5246] |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | [RFC5246] |
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | [RFC5246] |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | [RFC5246] |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | [RFC5246] |
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
TLS_DHE_PSK_WITH_RC4_128_SHA | [RFC4279][RFC6347] |
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA | [RFC4279] |
TLS_DHE_PSK_WITH_AES_128_CBC_SHA | [RFC4279] |
TLS_DHE_PSK_WITH_AES_256_CBC_SHA | [RFC4279] |
TLS_DHE_DSS_WITH_SEED_CBC_SHA | [RFC4162] |
TLS_DHE_RSA_WITH_SEED_CBC_SHA | [RFC4162] |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | [RFC5288] |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | [RFC5288] |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | [RFC5288] |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | [RFC5288] |
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | [RFC5487] |
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | [RFC5487] |
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 | [RFC5487] |
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 | [RFC5487] |
TLS_DHE_PSK_WITH_NULL_SHA256 | [RFC5487] |
TLS_DHE_PSK_WITH_NULL_SHA384 | [RFC5487] |
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] |
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] |
TLS_DHE_RSA_WITH_AES_128_CCM | [RFC6655] |
TLS_DHE_RSA_WITH_AES_256_CCM | [RFC6655] |
TLS_DHE_RSA_WITH_AES_128_CCM_8 | [RFC6655] |
TLS_DHE_RSA_WITH_AES_256_CCM_8 | [RFC6655] |
TLS_DHE_PSK_WITH_AES_128_CCM | [RFC6655] |
TLS_DHE_PSK_WITH_AES_256_CCM | [RFC6655] |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | [RFC7905] |
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | [RFC7905] |
Ciphersuite | Reference |
---|---|
TLS_RSA_WITH_NULL_MD5 | [RFC5246] |
TLS_RSA_WITH_NULL_SHA | [RFC5246] |
TLS_RSA_EXPORT_WITH_RC4_40_MD5 | [RFC4346][RFC6347] |
TLS_RSA_WITH_RC4_128_MD5 | [RFC5246][RFC6347] |
TLS_RSA_WITH_RC4_128_SHA | [RFC5246][RFC6347] |
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | [RFC4346] |
TLS_RSA_WITH_IDEA_CBC_SHA | [RFC5469][SC-tls-des-idea-ciphers-to-historic] |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
TLS_RSA_WITH_DES_CBC_SHA | [RFC5469][SC-tls-des-idea-ciphers-to-historic] |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
TLS_RSA_PSK_WITH_NULL_SHA | [RFC4785] |
TLS_RSA_WITH_AES_128_CBC_SHA | [RFC5246] |
TLS_RSA_WITH_AES_256_CBC_SHA | [RFC5246] |
TLS_RSA_WITH_NULL_SHA256 | [RFC5246] |
TLS_RSA_WITH_AES_128_CBC_SHA256 | [RFC5246] |
TLS_RSA_WITH_AES_256_CBC_SHA256 | [RFC5246] |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
TLS_RSA_PSK_WITH_RC4_128_SHA | [RFC4279][RFC6347] |
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA | [RFC4279] |
TLS_RSA_PSK_WITH_AES_128_CBC_SHA | [RFC4279] |
TLS_RSA_PSK_WITH_AES_256_CBC_SHA | [RFC4279] |
TLS_RSA_WITH_SEED_CBC_SHA | [RFC4162] |
TLS_RSA_WITH_AES_128_GCM_SHA256 | [RFC5288] |
TLS_RSA_WITH_AES_256_GCM_SHA384 | [RFC5288] |
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 | [RFC5487] |
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 | [RFC5487] |
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 | [RFC5487] |
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 | [RFC5487] |
TLS_RSA_PSK_WITH_NULL_SHA256 | [RFC5487] |
TLS_RSA_PSK_WITH_NULL_SHA384 | [RFC5487] |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
TLS_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] |
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] |
TLS_RSA_WITH_AES_128_CCM | [RFC6655] |
TLS_RSA_WITH_AES_256_CCM | [RFC6655] |
TLS_RSA_WITH_AES_128_CCM_8 | [RFC6655] |
TLS_RSA_WITH_AES_256_CCM_8 | [RFC6655] |
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 | [RFC7905] |