Fortinet black logo

Handbook

SSL/TLS versions and cipher suites

SSL/TLS versions and cipher suites

An SSL cipher is an algorithm that performs encryption and decryption. It transforms plain text into a coded set of data (cipher text) that is not reversible without a key. During the SSL handshake phase of the connection, the client sends a list of the ciphers it supports. FortiADC examines the client cipher list in the order it is specified, chooses the first cipher that matches a cipher specified in the virtual server configuration, and responds to the client. If none of the ciphers offered by the client are in the cipher suite list for the virtual server, the SSL handshake fails.

To see the list of ciphers supported by the browser you are using, go to a link maintained by the Leibniz University of Hannover Distributed Computing & Security (DCSec) Research Group:

https://cc.dcsec.uni-hannover.de/

FortiADC SLB profiles support a specific list of RSA ciphers, PFS ciphers, ECDHE ciphers, ECDSA ciphers, Camellia ciphers, and eNull ciphers.

Cipher suites with RSA key exchange lists supported RSA ciphers.

Cipher suites with RSA key exchange

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 RSA RSA AESGCM(256) AEAD
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 RSA RSA AES(256) SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
RSA RSA AES(256) SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 RSA RSA AESGCM(128) AEAD
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 RSA RSA AES(128) SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
RSA RSA AES(128) SHA
RC4-SHA SSL_RSA_WITH_RC4_128_SHA SSL 3.0 RSA RSA RC4 SHA
TLS_RSA_WITH_RC4_128_SHA TLS 1.2, 1.1, 1.0 RSA RSA RC4 SHA
RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 SSL 3.0 RSA RSA RC4 MD5
TLS_RSA_WITH_RC4_128_MD5 TLS 1.2, 1.1, 1.0 RSA RSA RC4 MD5
DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 RSA RSA DES-CBC3 SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.2, 1.1, 1.0 RSA RSA DES-CBC3 SHA

With RSA ciphers, the server's public RSA key is part of the server certificate and is typically very long lived. It is not uncommon for the same public key to be used for months or years. This creates a potential problem: if an SSL server's private key were to be leaked or stolen, all connections made in the past using that key would be vulnerable. If someone has recorded your SSL connections, they can use the stolen private key to decrypt them.

Cipher suites with DHE/EDH key exchange lists supported Perfect Forward Secrecy (PFS) ciphers with DHE/EDH key exchange. With PFS, a fresh public key is created for every single connection.That means that an adversary would need to break the key for each connection individually to read the communication.

Cipher suites with DHE/EDH key exchange

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
DHE-RSA-AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 DH RSA AES256 SHA384
DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 DH RSA AES256 SHA256
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
DH RSA AES256 SHA256
DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 DH RSA AES128 SHA256
DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 DH RSA AES128 SHA256
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
DH RSA AES128 SHA
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
DH RSA 3DES SHA

Cipher suites with EDCHE key exchange lists supported PFS ciphers with Elliptic curve Diffie–Hellman Ephemeral key (ECDHE) key exchange. ECDHE is significantly faster than DHE. The supported suites include both the Elliptic Curve Digital Signature Algorithm (ECDSA) and RSA key authentication (Au) algorithms.

Cipher suites with EDCHE key exchange

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH ECDSA AESGCM256 AEAD
ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 ECDH ECDSA AES256 SHA384
ECDHE-ECDSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA AES256 SHA
ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 ECDH ECDSA AESGCM128 AEAD
ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 ECDH ECDSA AES128 SHA256
ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA AES128 SHA
ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA RC4 SHA
ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA 3DES SHA
ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH RSA AESGCM256 AEAD
ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2 ECDH RSA AES256 SHA384
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2 ECDH RSA AES256 SHA
ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDH RSA AESGCM128 AEAD
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 ECDH RSA AES128 SHA256
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0 ECDH RSA AES128 SHA
ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0 ECDH RSA RC4 SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 ECDH RSA 3DES SHA
Note

Profiles support TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 for TLSv1.3. They will be set automatically when TLSv1.3 is selected in ssl version. You should only use TLSv1.3 for testing, not in a production environment.

The Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. The Camellia cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. It has security levels and processing abilities comparable to the Advanced Encryption Standard.

Camellia Cipher suites lists supported Camellia ciphers with ECDHE and DHE key exchange. The supported suites include both the ECDSA and RSA key authentication algorithms.

Camellia Cipher suites

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH ECDSA CAMELLIA256 SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH RSA CAMELLIA256 SHA384
DHE-RSA-CAMELLIA256-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA256 SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH ECDSA CAMELLIA128 SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH RSA CAMELLIA128 SHA256
DHE-RSA-CAMELLIA128-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA128 SHA256

DHE-RSA-CAMELLIA256-SHA

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

TLS 1.2, 1.1, 1.0

DH

RSA

CAMELLIA256

SHA

In addition, profiles support an eNull cipher option. This option represents all cipher suites that do not apply encryption to the application data (integrity check is still applied). The exact cipher suite used depends on the SSL/TLS version used. As an example, in SSL v3.0, eNULL includes NULL-MD5, NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, and some other non-encryption cipher suites.

Finally, profiles support a user-specified cipher list. You can specify a colon-separated list of OpenSSL cipher suite short names. The names are validated against the form of the cipher suite short names published on the OpenSSL website:

https://www.openssl.org/docs/manprimary/apps/ciphers.html

SSL/TLS versions and cipher suites

SSL/TLS versions and cipher suites

An SSL cipher is an algorithm that performs encryption and decryption. It transforms plain text into a coded set of data (cipher text) that is not reversible without a key. During the SSL handshake phase of the connection, the client sends a list of the ciphers it supports. FortiADC examines the client cipher list in the order it is specified, chooses the first cipher that matches a cipher specified in the virtual server configuration, and responds to the client. If none of the ciphers offered by the client are in the cipher suite list for the virtual server, the SSL handshake fails.

To see the list of ciphers supported by the browser you are using, go to a link maintained by the Leibniz University of Hannover Distributed Computing & Security (DCSec) Research Group:

https://cc.dcsec.uni-hannover.de/

FortiADC SLB profiles support a specific list of RSA ciphers, PFS ciphers, ECDHE ciphers, ECDSA ciphers, Camellia ciphers, and eNull ciphers.

Cipher suites with RSA key exchange lists supported RSA ciphers.

Cipher suites with RSA key exchange

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 RSA RSA AESGCM(256) AEAD
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 RSA RSA AES(256) SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
RSA RSA AES(256) SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 RSA RSA AESGCM(128) AEAD
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 RSA RSA AES(128) SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
RSA RSA AES(128) SHA
RC4-SHA SSL_RSA_WITH_RC4_128_SHA SSL 3.0 RSA RSA RC4 SHA
TLS_RSA_WITH_RC4_128_SHA TLS 1.2, 1.1, 1.0 RSA RSA RC4 SHA
RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 SSL 3.0 RSA RSA RC4 MD5
TLS_RSA_WITH_RC4_128_MD5 TLS 1.2, 1.1, 1.0 RSA RSA RC4 MD5
DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 RSA RSA DES-CBC3 SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.2, 1.1, 1.0 RSA RSA DES-CBC3 SHA

With RSA ciphers, the server's public RSA key is part of the server certificate and is typically very long lived. It is not uncommon for the same public key to be used for months or years. This creates a potential problem: if an SSL server's private key were to be leaked or stolen, all connections made in the past using that key would be vulnerable. If someone has recorded your SSL connections, they can use the stolen private key to decrypt them.

Cipher suites with DHE/EDH key exchange lists supported Perfect Forward Secrecy (PFS) ciphers with DHE/EDH key exchange. With PFS, a fresh public key is created for every single connection.That means that an adversary would need to break the key for each connection individually to read the communication.

Cipher suites with DHE/EDH key exchange

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
DHE-RSA-AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 DH RSA AES256 SHA384
DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 DH RSA AES256 SHA256
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
DH RSA AES256 SHA256
DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 DH RSA AES128 SHA256
DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 DH RSA AES128 SHA256
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
DH RSA AES128 SHA
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
DH RSA 3DES SHA

Cipher suites with EDCHE key exchange lists supported PFS ciphers with Elliptic curve Diffie–Hellman Ephemeral key (ECDHE) key exchange. ECDHE is significantly faster than DHE. The supported suites include both the Elliptic Curve Digital Signature Algorithm (ECDSA) and RSA key authentication (Au) algorithms.

Cipher suites with EDCHE key exchange

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH ECDSA AESGCM256 AEAD
ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 ECDH ECDSA AES256 SHA384
ECDHE-ECDSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA AES256 SHA
ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 ECDH ECDSA AESGCM128 AEAD
ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 ECDH ECDSA AES128 SHA256
ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA AES128 SHA
ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA RC4 SHA
ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
TLS 1.2, 1.1, 1.0
ECDH ECDSA 3DES SHA
ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH RSA AESGCM256 AEAD
ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2 ECDH RSA AES256 SHA384
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2 ECDH RSA AES256 SHA
ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDH RSA AESGCM128 AEAD
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 ECDH RSA AES128 SHA256
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0 ECDH RSA AES128 SHA
ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0 ECDH RSA RC4 SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 ECDH RSA 3DES SHA
Note

Profiles support TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 for TLSv1.3. They will be set automatically when TLSv1.3 is selected in ssl version. You should only use TLSv1.3 for testing, not in a production environment.

The Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. The Camellia cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. It has security levels and processing abilities comparable to the Advanced Encryption Standard.

Camellia Cipher suites lists supported Camellia ciphers with ECDHE and DHE key exchange. The supported suites include both the ECDSA and RSA key authentication algorithms.

Camellia Cipher suites

Abbreviation Cipher Suite Protocol Kx Au Enc MAC
ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH ECDSA CAMELLIA256 SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH RSA CAMELLIA256 SHA384
DHE-RSA-CAMELLIA256-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA256 SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH ECDSA CAMELLIA128 SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH RSA CAMELLIA128 SHA256
DHE-RSA-CAMELLIA128-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA128 SHA256

DHE-RSA-CAMELLIA256-SHA

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

TLS 1.2, 1.1, 1.0

DH

RSA

CAMELLIA256

SHA

In addition, profiles support an eNull cipher option. This option represents all cipher suites that do not apply encryption to the application data (integrity check is still applied). The exact cipher suite used depends on the SSL/TLS version used. As an example, in SSL v3.0, eNULL includes NULL-MD5, NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, and some other non-encryption cipher suites.

Finally, profiles support a user-specified cipher list. You can specify a colon-separated list of OpenSSL cipher suite short names. The names are validated against the form of the cipher suite short names published on the OpenSSL website:

https://www.openssl.org/docs/manprimary/apps/ciphers.html