Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.2.3 Handbook
    7.2.3
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    SSL/TLS versions and cipher suites

    SSL/TLS versions and cipher suites

    An SSL cipher is an algorithm that performs encryption and decryption. It transforms plain text into a coded set of data (cipher text) that is not reversible without a key. During the SSL handshake phase of the connection, the client sends a list of the ciphers it supports. FortiADC examines the client cipher list in the order it is specified, chooses the first cipher that matches a cipher specified in the virtual server configuration, and responds to the client. If none of the ciphers offered by the client are in the cipher suite list for the virtual server, the SSL handshake fails.

    To see the list of ciphers supported by the browser you are using, go to a link maintained by the Leibniz University of Hannover Distributed Computing & Security (DCSec) Research Group:

    https://cc.dcsec.uni-hannover.de/

    FortiADC SLB profiles support a specific list of RSA ciphers, PFS ciphers, ECDHE ciphers, ECDSA ciphers, Camellia ciphers, and eNull ciphers.

    Cipher suites with RSA key exchange lists supported RSA ciphers.

    Cipher suites with RSA key exchange
    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 RSA RSA AESGCM(256) AEAD
    *AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 RSA RSA AES(256) SHA
    *AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 RSA RSA AES(256) SHA
    AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 RSA RSA AESGCM(128) AEAD
    *AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 RSA RSA AES(128) SHA
    *AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 RSA RSA AES(128) SHA
    RC4-SHA SSL_RSA_WITH_RC4_128_SHA SSL 3.0 RSA RSA RC4 SHA
    TLS_RSA_WITH_RC4_128_SHA TLS 1.2, 1.1, 1.0 RSA RSA RC4 SHA
    RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 SSL 3.0 RSA RSA RC4 MD5
    TLS_RSA_WITH_RC4_128_MD5 TLS 1.2, 1.1, 1.0 RSA RSA RC4 MD5
    DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 RSA RSA DES-CBC3 SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.2, 1.1, 1.0 RSA RSA DES-CBC3 SHA

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

    With RSA ciphers, the server's public RSA key is part of the server certificate and is typically very long lived. It is not uncommon for the same public key to be used for months or years. This creates a potential problem: if an SSL server's private key were to be leaked or stolen, all connections made in the past using that key would be vulnerable. If someone has recorded your SSL connections, they can use the stolen private key to decrypt them.

    Cipher suites with DHE/EDH key exchange lists supported Perfect Forward Secrecy (PFS) ciphers with DHE/EDH key exchange. With PFS, a fresh public key is created for every single connection.That means that an adversary would need to break the key for each connection individually to read the communication.

    Cipher suites with DHE/EDH key exchange
    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    DHE-RSA-AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 DH RSA AES256 SHA384
    *DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 DH RSA AES256 SHA256
    *DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 DH RSA AES256 SHA256
    DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 DH RSA AES128 SHA256
    *DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 DH RSA AES128 SHA256
    *DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 DH RSA AES128 SHA
    EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 DH RSA 3DES SHA

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

    Cipher suites with EDCHE key exchange lists supported PFS ciphers with Elliptic curve Diffie–Hellman Ephemeral key (ECDHE) key exchange. ECDHE is significantly faster than DHE. The supported suites include both the Elliptic Curve Digital Signature Algorithm (ECDSA) and RSA key authentication (Au) algorithms.

    Cipher suites with EDCHE key exchange
    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH ECDSA AESGCM256 AEAD
    ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 ECDH ECDSA AES256 SHA384
    *ECDHE-ECDSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA AES256 SHA
    ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 ECDH ECDSA AESGCM128 AEAD
    *ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 ECDH ECDSA AES128 SHA256
    *ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA AES128 SHA
    ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA RC4 SHA
    ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA 3DES SHA
    ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH RSA AESGCM256 AEAD
    ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2 ECDH RSA AES256 SHA384
    *ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2 ECDH RSA AES256 SHA
    ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDH RSA AESGCM128 AEAD
    *ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 ECDH RSA AES128 SHA256
    *ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0 ECDH RSA AES128 SHA
    ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0 ECDH RSA RC4 SHA
    ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 ECDH RSA 3DES SHA

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).
    Note

    Profiles support TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 for TLSv1.3. They will be set automatically when TLSv1.3 is selected in ssl version. You should only use TLSv1.3 for testing, not in a production environment.

    The Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. The Camellia cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. It has security levels and processing abilities comparable to the Advanced Encryption Standard.

    Camellia Cipher suites lists supported Camellia ciphers with ECDHE and DHE key exchange. The supported suites include both the ECDSA and RSA key authentication algorithms.

    Camellia Cipher suites

    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH ECDSA CAMELLIA256 SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH RSA CAMELLIA256 SHA384
    DHE-RSA-CAMELLIA256-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA256 SHA256
    ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH ECDSA CAMELLIA128 SHA256
    ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH RSA CAMELLIA128 SHA256
    DHE-RSA-CAMELLIA128-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA128 SHA256

    DHE-RSA-CAMELLIA256-SHA

    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

    TLS 1.2, 1.1, 1.0

    DH

    RSA

    CAMELLIA256

    SHA

    In addition, profiles support an eNull cipher option. This option represents all cipher suites that do not apply encryption to the application data (integrity check is still applied). The exact cipher suite used depends on the SSL/TLS version used. As an example, in SSL v3.0, eNULL includes NULL-MD5, NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, and some other non-encryption cipher suites.

    Finally, profiles support a user-specified cipher list. You can specify a colon-separated list of OpenSSL cipher suite short names. The names are validated against the form of the cipher suite short names published on the OpenSSL website:

    https://www.openssl.org/docs/manprimary/apps/ciphers.html

    Previous
    Next

    SSL/TLS versions and cipher suites

    SSL/TLS versions and cipher suites

    An SSL cipher is an algorithm that performs encryption and decryption. It transforms plain text into a coded set of data (cipher text) that is not reversible without a key. During the SSL handshake phase of the connection, the client sends a list of the ciphers it supports. FortiADC examines the client cipher list in the order it is specified, chooses the first cipher that matches a cipher specified in the virtual server configuration, and responds to the client. If none of the ciphers offered by the client are in the cipher suite list for the virtual server, the SSL handshake fails.

    To see the list of ciphers supported by the browser you are using, go to a link maintained by the Leibniz University of Hannover Distributed Computing & Security (DCSec) Research Group:

    https://cc.dcsec.uni-hannover.de/

    FortiADC SLB profiles support a specific list of RSA ciphers, PFS ciphers, ECDHE ciphers, ECDSA ciphers, Camellia ciphers, and eNull ciphers.

    Cipher suites with RSA key exchange lists supported RSA ciphers.

    Cipher suites with RSA key exchange
    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 RSA RSA AESGCM(256) AEAD
    *AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 RSA RSA AES(256) SHA
    *AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 RSA RSA AES(256) SHA
    AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 RSA RSA AESGCM(128) AEAD
    *AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 RSA RSA AES(128) SHA
    *AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 RSA RSA AES(128) SHA
    RC4-SHA SSL_RSA_WITH_RC4_128_SHA SSL 3.0 RSA RSA RC4 SHA
    TLS_RSA_WITH_RC4_128_SHA TLS 1.2, 1.1, 1.0 RSA RSA RC4 SHA
    RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 SSL 3.0 RSA RSA RC4 MD5
    TLS_RSA_WITH_RC4_128_MD5 TLS 1.2, 1.1, 1.0 RSA RSA RC4 MD5
    DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 RSA RSA DES-CBC3 SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.2, 1.1, 1.0 RSA RSA DES-CBC3 SHA

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

    With RSA ciphers, the server's public RSA key is part of the server certificate and is typically very long lived. It is not uncommon for the same public key to be used for months or years. This creates a potential problem: if an SSL server's private key were to be leaked or stolen, all connections made in the past using that key would be vulnerable. If someone has recorded your SSL connections, they can use the stolen private key to decrypt them.

    Cipher suites with DHE/EDH key exchange lists supported Perfect Forward Secrecy (PFS) ciphers with DHE/EDH key exchange. With PFS, a fresh public key is created for every single connection.That means that an adversary would need to break the key for each connection individually to read the communication.

    Cipher suites with DHE/EDH key exchange
    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    DHE-RSA-AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 DH RSA AES256 SHA384
    *DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 DH RSA AES256 SHA256
    *DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 DH RSA AES256 SHA256
    DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 DH RSA AES128 SHA256
    *DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 DH RSA AES128 SHA256
    *DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 DH RSA AES128 SHA
    EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 DH RSA 3DES SHA

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

    Cipher suites with EDCHE key exchange lists supported PFS ciphers with Elliptic curve Diffie–Hellman Ephemeral key (ECDHE) key exchange. ECDHE is significantly faster than DHE. The supported suites include both the Elliptic Curve Digital Signature Algorithm (ECDSA) and RSA key authentication (Au) algorithms.

    Cipher suites with EDCHE key exchange
    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH ECDSA AESGCM256 AEAD
    ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 ECDH ECDSA AES256 SHA384
    *ECDHE-ECDSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA AES256 SHA
    ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 ECDH ECDSA AESGCM128 AEAD
    *ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 ECDH ECDSA AES128 SHA256
    *ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA AES128 SHA
    ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA RC4 SHA
    ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSL 3.0
    TLS 1.2, 1.1, 1.0    		 ECDH ECDSA 3DES SHA
    ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDH RSA AESGCM256 AEAD
    ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2 ECDH RSA AES256 SHA384
    *ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2 ECDH RSA AES256 SHA
    ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDH RSA AESGCM128 AEAD
    *ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 ECDH RSA AES128 SHA256
    *ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0 ECDH RSA AES128 SHA
    ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0 ECDH RSA RC4 SHA
    ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0 ECDH RSA 3DES SHA

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).
    Note

    Profiles support TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 for TLSv1.3. They will be set automatically when TLSv1.3 is selected in ssl version. You should only use TLSv1.3 for testing, not in a production environment.

    The Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. The Camellia cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. It has security levels and processing abilities comparable to the Advanced Encryption Standard.

    Camellia Cipher suites lists supported Camellia ciphers with ECDHE and DHE key exchange. The supported suites include both the ECDSA and RSA key authentication algorithms.

    Camellia Cipher suites

    Abbreviation Cipher Suite Protocol Kx Au Enc MAC
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH ECDSA CAMELLIA256 SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLS 1.2 ECDH RSA CAMELLIA256 SHA384
    DHE-RSA-CAMELLIA256-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA256 SHA256
    ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH ECDSA CAMELLIA128 SHA256
    ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 ECDH RSA CAMELLIA128 SHA256
    DHE-RSA-CAMELLIA128-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS 1.2 DH RSA CAMELLIA128 SHA256

    DHE-RSA-CAMELLIA256-SHA

    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

    TLS 1.2, 1.1, 1.0

    DH

    RSA

    CAMELLIA256

    SHA

    In addition, profiles support an eNull cipher option. This option represents all cipher suites that do not apply encryption to the application data (integrity check is still applied). The exact cipher suite used depends on the SSL/TLS version used. As an example, in SSL v3.0, eNULL includes NULL-MD5, NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, and some other non-encryption cipher suites.

    Finally, profiles support a user-specified cipher list. You can specify a colon-separated list of OpenSSL cipher suite short names. The names are validated against the form of the cipher suite short names published on the OpenSSL website:

    https://www.openssl.org/docs/manprimary/apps/ciphers.html

    Previous
    Next