OpenSSL & IANA TLS Cipher Suites

I have been working with OpenVPN, OpenSSL and OpenSSH for the past couple of weeks on my Raspberry Pi running Debian “Wheezy” which has been fun and frustrating at the same time.

Due to the version of OpenVPN included with “Wheezy” and OpenVPN that I was running on my client, I was having a heck of a time getting the TLS Cipher to match up between Server and Client in configuration.

I found a software patch written by someone on the OpenVPN Dev team  and within it, it had a nice table showing the OpenSSL Cipher Suite Name and corresponding IANA Cipher Suite Name.  Since I wasted hours trying to figure this out, I hope it will help someone else out and save them time.

TLS OpenSSL Cipher Suite Name TLS IANA (IETF) Cipher Suite Name
ADH-SEED-SHA TLS-DH-anon-WITH-SEED-CBC-SHA
AES128-GCM-SHA256 TLS-RSA-WITH-AES-128-GCM-SHA256
AES128-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256
AES128-SHA TLS-RSA-WITH-AES-128-CBC-SHA
AES256-GCM-SHA384 TLS-RSA-WITH-AES-256-GCM-SHA384
AES256-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA256
AES256-SHA TLS-RSA-WITH-AES-256-CBC-SHA
CAMELLIA128-SHA256 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
CAMELLIA128-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
CAMELLIA256-SHA256 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
CAMELLIA256-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
DES-CBC3-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA
DES-CBC-SHA TLS-RSA-WITH-DES-CBC-SHA
DH-DSS-SEED-SHA TLS-DH-DSS-WITH-SEED-CBC-SHA
DHE-DSS-AES128-GCM-SHA256 TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
DHE-DSS-AES128-SHA256 TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
DHE-DSS-AES128-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA
DHE-DSS-AES256-GCM-SHA384 TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
DHE-DSS-AES256-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
DHE-DSS-AES256-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA
DHE-DSS-CAMELLIA128-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
DHE-DSS-CAMELLIA128-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
DHE-DSS-CAMELLIA256-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
DHE-DSS-CAMELLIA256-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
DHE-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
DHE-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA
DHE-DSS-SEED-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA
DHE-RSA-AES128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
DHE-RSA-AES128-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
DHE-RSA-AES128-SHA TLS-DHE-RSA-WITH-AES-128-CBC-SHA
DHE-RSA-AES256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
DHE-RSA-AES256-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
DHE-RSA-AES256-SHA TLS-DHE-RSA-WITH-AES-256-CBC-SHA
DHE-RSA-CAMELLIA128-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
DHE-RSA-CAMELLIA128-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
DHE-RSA-CAMELLIA256-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
DHE-RSA-CAMELLIA256-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
DHE-RSA-DES-CBC3-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
DHE-RSA-DES-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA
DHE-RSA-SEED-SHA TLS-DHE-RSA-WITH-SEED-CBC-SHA
DH-RSA-SEED-SHA TLS-DH-RSA-WITH-SEED-CBC-SHA
ECDH-ECDSA-AES128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
ECDH-ECDSA-AES128-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
ECDH-ECDSA-AES128-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
ECDH-ECDSA-AES256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
ECDH-ECDSA-AES256-SHA256 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256
ECDH-ECDSA-AES256-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
ECDH-ECDSA-AES256-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
ECDH-ECDSA-CAMELLIA128-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256
ECDH-ECDSA-CAMELLIA128-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA
ECDH-ECDSA-CAMELLIA256-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256
ECDH-ECDSA-CAMELLIA256-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA
ECDH-ECDSA-DES-CBC3-SHA TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
ECDH-ECDSA-DES-CBC-SHA TLS-ECDH-ECDSA-WITH-DES-CBC-SHA
ECDH-ECDSA-RC4-SHA TLS-ECDH-ECDSA-WITH-RC4-128-SHA
ECDHE-ECDSA-AES128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
ECDHE-ECDSA-AES128-SHA384 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384
ECDHE-ECDSA-AES128-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
ECDHE-ECDSA-AES256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256
ECDHE-ECDSA-AES256-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
ECDHE-ECDSA-AES256-SHA TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
ECDHE-ECDSA-CAMELLIA128-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256
ECDHE-ECDSA-CAMELLIA128-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA
ECDHE-ECDSA-CAMELLIA256-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256
ECDHE-ECDSA-CAMELLIA256-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA
ECDHE-ECDSA-DES-CBC3-SHA TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
ECDHE-ECDSA-DES-CBC-SHA TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA
ECDHE-ECDSA-RC4-SHA TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
ECDHE-RSA-AES128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
ECDHE-RSA-AES128-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
ECDHE-RSA-AES128-SHA384 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384
ECDHE-RSA-AES128-SHA TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
ECDHE-RSA-AES256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ECDHE-RSA-AES256-SHA256 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256
ECDHE-RSA-AES256-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
ECDHE-RSA-AES256-SHA TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
ECDHE-RSA-CAMELLIA128-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
ECDHE-RSA-CAMELLIA128-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA
ECDHE-RSA-CAMELLIA256-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
ECDHE-RSA-CAMELLIA256-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
ECDHE-RSA-DES-CBC-SHA TLS-ECDHE-RSA-WITH-DES-CBC-SHA
ECDHE-RSA-RC4-SHA TLS-ECDHE-RSA-WITH-RC4-128-SHA
ECDH-RSA-AES128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
ECDH-RSA-AES128-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
ECDH-RSA-AES128-SHA384 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384
ECDH-RSA-AES128-SHA TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
ECDH-RSA-AES256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
ECDH-RSA-AES256-SHA256 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256
ECDH-RSA-AES256-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
ECDH-RSA-AES256-SHA TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
ECDH-RSA-CAMELLIA128-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256
ECDH-RSA-CAMELLIA128-SHA TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA
ECDH-RSA-CAMELLIA256-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256
ECDH-RSA-CAMELLIA256-SHA TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA
ECDH-RSA-DES-CBC3-SHA TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
ECDH-RSA-DES-CBC-SHA TLS-ECDH-RSA-WITH-DES-CBC-SHA
ECDH-RSA-RC4-SHA TLS-ECDH-RSA-WITH-RC4-128-SHA
EDH-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
EDH-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA
EDH-RSA-DES-CBC3-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA
EXP-DES-CBC-SHA TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA
EXP-RC2-CBC-MD5 TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
EXP-RC4-MD5 TLS-RSA-EXPORT-WITH-RC4-40-MD5
NULL-MD5 TLS-RSA-WITH-NULL-MD5
NULL-SHA256 TLS-RSA-WITH-NULL-SHA256
NULL-SHA TLS-RSA-WITH-NULL-SHA
PSK-3DES-EDE-CBC-SHA TLS-PSK-WITH-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA TLS-PSK-WITH-AES-128-CBC-SHA
PSK-AES256-CBC-SHA TLS-PSK-WITH-AES-256-CBC-SHA
PSK-RC4-SHA TLS-PSK-WITH-RC4-128-SHA
RC4-MD5 TLS-RSA-WITH-RC4-128-MD5
RC4-SHA TLS-RSA-WITH-RC4-128-SHA
SEED-SHA TLS-RSA-WITH-SEED-CBC-SHA
SRP-DSS-3DES-EDE-CBC-SHA TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
SRP-DSS-AES-128-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
SRP-DSS-AES-256-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-RSA-AES-128-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-RSA-AES-256-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA

Source: [PATCH 5/5] Switch to IANA names for TLS ciphers.

Leave a Reply