TLS numbers used in various places Pasi Eronen Last updated: November 18, 2005 NOTE: This is a totally unofficial list. The IANA registries for TLS can be found at the following addresses: http://www.iana.org/assignments/tls-parameters http://www.iana.org/assignments/tls-extensiontype-values TLS CLIENT CERTIFICATE TYPES ============================ 1 rsa_sign [RFC2246] 2 dss_sign [RFC2246] 3 rsa_fixed_dh [RFC2246] 4 dss_fixed_dh [RFC2246] 5 rsa_ephemeral_dh_RESERVED [2246bis] [ssl3] [*16] 6 dss_ephemeral_dh_RESERVED [2246bis] [ssl3] [*15] 7 [*15] 8 [*11] [*15] 9 [*11] [*15] 20 fortezza_dms_RESERVED [2246bis] [ssl3] 21 [cptls-02] 22 [cptls-02] 64 [ecc-12] 65 [ecc-12] 66 [ecc-12] TLS CIPHERSUITE NUMBERS ======================= 00,00 TLS_NULL_WITH_NULL_NULL [RFC2246] 00,01 TLS_RSA_WITH_NULL_MD5 [RFC2246] 00,02 TLS_RSA_WITH_NULL_SHA [RFC2246] 00,03 TLS_RSA_EXPORT_WITH_RC4_40_MD5 [RFC2246] 00,04 TLS_RSA_WITH_RC4_128_MD5 [RFC2246] 00,05 TLS_RSA_WITH_RC4_128_SHA [RFC2246] 00,06 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 [RFC2246] 00,07 TLS_RSA_WITH_IDEA_CBC_SHA [RFC2246] 00,08 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC2246] 00,09 TLS_RSA_WITH_DES_CBC_SHA [RFC2246] 00,0A TLS_RSA_WITH_3DES_EDE_CBC_SHA [RFC2246] 00,0B TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA [RFC2246] 00,0C TLS_DH_DSS_WITH_DES_CBC_SHA [RFC2246] 00,0D TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [RFC2246] 00,0E TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC2246] 00,0F TLS_DH_RSA_WITH_DES_CBC_SHA [RFC2246] 00,10 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [RFC2246] 00,11 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA [RFC2246] 00,12 TLS_DHE_DSS_WITH_DES_CBC_SHA [RFC2246] 00,13 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [RFC2246] 00,14 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC2246] 00,15 TLS_DHE_RSA_WITH_DES_CBC_SHA [RFC2246] 00,16 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [RFC2246] 00,17 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 [RFC2246] 00,18 TLS_DH_anon_WITH_RC4_128_MD5 [RFC2246] 00,19 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA [RFC2246] 00,1A TLS_DH_anon_WITH_DES_CBC_SHA [RFC2246] 00,1B TLS_DH_anon_WITH_3DES_EDE_CBC_SHA [RFC2246] 00,1C (permanently reserved) [2246bis] [ssl3] 00,1D (permanently reserved) [2246bis] [ssl3] 00,1E TLS_KRB5_WITH_DES_CBC_SHA [RFC2712] [*1] 00,1F TLS_KRB5_WITH_3DES_EDE_CBC_SHA [RFC2712] 00,20 TLS_KRB5_WITH_RC4_128_SHA [RFC2712] 00,21 TLS_KRB5_WITH_IDEA_CBC_SHA [RFC2712] 00,22 TLS_KRB5_WITH_DES_CBC_MD5 [RFC2712] 00,23 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 [RFC2712] 00,24 TLS_KRB5_WITH_RC4_128_MD5 [RFC2712] 00,25 TLS_KRB5_WITH_IDEA_CBC_MD5 [RFC2712] 00,26 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA [RFC2712] 00,27 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA [RFC2712] 00,28 TLS_KRB5_EXPORT_WITH_RC4_40_SHA [RFC2712] 00,29 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 [RFC2712] 00,2A TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 [RFC2712] 00,2B TLS_KRB5_EXPORT_WITH_RC4_40_MD5 [RFC2712] 00,2C [*8] 00,2D [*8] 00,2E [*8] 00,2F TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268] 00,30 TLS_DH_DSS_WITH_AES_128_CBC_SHA [RFC3268] 00,31 TLS_DH_RSA_WITH_AES_128_CBC_SHA [RFC3268] 00,32 TLS_DHE_DSS_WITH_AES_128_CBC_SHA [RFC3268] 00,33 TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC3268] 00,34 TLS_DH_anon_WITH_AES_128_CBC_SHA [RFC3268] 00,35 TLS_RSA_WITH_AES_256_CBC_SHA [RFC3268] 00,36 TLS_DH_DSS_WITH_AES_256_CBC_SHA [RFC3268] 00,37 TLS_DH_RSA_WITH_AES_256_CBC_SHA [RFC3268] 00,38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA [RFC3268] 00,39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA [RFC3268] 00,3A TLS_DH_anon_WITH_AES_256_CBC_SHA [RFC3268] 00,3B [*10] 00,3C [*10] 00,3D [*10] 00,3E [*10] 00,3F [*10] 00,40 [*10] 00,41 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC4132] 00,42 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA [RFC4132] 00,43 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC4132] 00,44 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA [RFC4132] 00,45 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC4132] 00,46 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA [RFC4132] 00,47 [*2] 00,48 [*2] 00,49 [*2] 00,4A [*2] 00,4B [*2] 00,4C [*2] 00,4D [*2] 00,4E [*2] 00,4F [*2] 00,50 (reserved for ongoing work) [srp-10] [*2] 00,51 (reserved for ongoing work) [srp-10] [*2] 00,52 (reserved for ongoing work) [srp-10] [*2] 00,53 (reserved for ongoing work) [srp-10] [*2] 00,54 (reserved for ongoing work) [srp-10] [*2] 00,55 (reserved for ongoing work) [srp-10] [*2] 00,56 (reserved for ongoing work) [srp-10] [*2] 00,57 (reserved for ongoing work) [srp-10] [*2] 00,58 (reserved for ongoing work) [srp-10] [*2] 00,59 [*2] 00,5A [*2] 00,5B [*2] 00,5C [*2] 00,5D 00,5E 00,5F 00,60 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 [56bit] [*7] 00,61 TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 [56bit] [*7] [*12] 00,62 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA [56bit] [*7] [*12] 00,63 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA [56bit] [*7] [*12] 00,64 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA [56bit] [*7] [*12] 00,65 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA [56bit] [*7] [*12] 00,66 TLS_DHE_DSS_WITH_RC4_128_SHA [56bit] [*12] 00,67 [*12] 00,68 [*12] 00,69 00,6A 00,6B 00,6C 00,6D 00,6E 00,6F 00,70 [*16] 00,71 [*16] 00,72 (reserved for ongoing work) [openpgp-06] [*16] 00,73 (reserved for ongoing work) [openpgp-06] [*16] 00,74 (reserved for ongoing work) [openpgp-06] [*16] 00,75 [*16] 00,76 [*16] 00,77 (reserved for ongoing work) [openpgp-06] [*2] [*16] 00,78 (reserved for ongoing work) [openpgp-06] [*2] [*16] 00,79 (reserved for ongoing work) [openpgp-06] [*16] 00,7A 00,7B 00,7C (reserved for ongoing work) [openpgp-06] 00,7D (reserved for ongoing work) [openpgp-06] 00,7E (reserved for ongoing work) [openpgp-06] 00,7F 00,80 (reserved for ongoing work) [cptls-02] 00,81 (reserved for ongoing work) [cptls-02] 00,82 (reserved for ongoing work) [cptls-02] 00,83 (reserved for ongoing work) [cptls-02] 00,84 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC4132] 00,85 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA [RFC4132] 00,86 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC4132] 00,87 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA [RFC4132] 00,88 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC4132] 00,89 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA [RFC4132] 00,8A TLS_PSK_WITH_RC4_128_SHA [psk-09] 00,8B TLS_PSK_WITH_3DES_EDE_CBC_SHA [psk-09] 00,8C TLS_PSK_WITH_AES_128_CBC_SHA [psk-09] 00,8D TLS_PSK_WITH_AES_256_CBC_SHA [psk-09] 00,8E TLS_DHE_PSK_WITH_RC4_128_SHA [psk-09] 00,8F TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [psk-09] 00,90 TLS_DHE_PSK_WITH_AES_128_CBC_SHA [psk-09] 00,91 TLS_DHE_PSK_WITH_AES_256_CBC_SHA [psk-09] 00,92 TLS_RSA_PSK_WITH_RC4_128_SHA [psk-09] 00,93 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [psk-09] 00,94 TLS_RSA_PSK_WITH_AES_128_CBC_SHA [psk-09] 00,95 TLS_RSA_PSK_WITH_AES_256_CBC_SHA [psk-09] 00,96 TLS_RSA_WITH_SEED_CBC_SHA [RFC4162] 00,97 TLS_DH_DSS_WITH_SEED_CBC_SHA [RFC4162] 00,98 TLS_DH_RSA_WITH_SEED_CBC_SHA [RFC4162] 00,99 TLS_DHE_DSS_WITH_SEED_CBC_SHA [RFC4162] 00,9A TLS_DHE_RSA_WITH_SEED_CBC_SHA [RFC4162] 00,9B TLS_DH_anon_WITH_SEED_CBC_SHA [RFC4162] 01,01 [*14] 01,02 [*14] 01,03 [*14] 01,04 [*14] 01,05 [*14] 01,06 [*14] 01,10 [*14] 01,20 [*14] 01,21 [*14] 01,22 [*14] 01,23 [*14] 01,24 [*14] 01,25 [*14] 01,F0 [*14] C0,00 (reserved for ongoing work) [ecc-12] C0,01 (reserved for ongoing work) [ecc-12] C0,02 (reserved for ongoing work) [ecc-12] C0,03 (reserved for ongoing work) [ecc-12] C0,04 (reserved for ongoing work) [ecc-12] C0,05 (reserved for ongoing work) [ecc-12] C0,06 (reserved for ongoing work) [ecc-12] C0,07 (reserved for ongoing work) [ecc-12] C0,08 (reserved for ongoing work) [ecc-12] C0,09 (reserved for ongoing work) [ecc-12] C0,0A (reserved for ongoing work) [ecc-12] C0,0B (reserved for ongoing work) [ecc-12] C0,0C (reserved for ongoing work) [ecc-12] C0,0D (reserved for ongoing work) [ecc-12] C0,0E (reserved for ongoing work) [ecc-12] C0,0F (reserved for ongoing work) [ecc-12] C0,10 (reserved for ongoing work) [ecc-12] C0,11 (reserved for ongoing work) [ecc-12] C0,12 (reserved for ongoing work) [ecc-12] C0,13 (reserved for ongoing work) [ecc-12] C0,14 (reserved for ongoing work) [ecc-12] C0,15 (reserved for ongoing work) [ecc-12] C0,16 (reserved for ongoing work) [ecc-12] C0,17 (reserved for ongoing work) [ecc-12] C0,18 (reserved for ongoing work) [ecc-12] C0,19 (reserved for ongoing work) [ecc-12] FE,FE (reserved) [fips] FE,FF (reserved) [fips] FF,E0 (reserved) [fips] FF,E1 (reserved) [fips] TLS CONTENT TYPES ================= 20 change_cipher_spec [RFC2246] 21 alert [RFC2246] 22 handshake [RFC2246] 23 application_data [RFC2246] 24 [ia-01] [*9] 25 [sign-00] 26 [mtls-00] TLS ALERT DESCRIPTIONS ====================== 0 close_notify [RFC2246] 10 unexpected_message [RFC2246] 20 bad_record_mac [RFC2246] 21 decryption_failed [RFC2246] 22 record_overflow [RFC2246] 30 decompression_failure [RFC2246] 40 handshake_failure [RFC2246] 41 no_certificate_RESERVED [2246bis] [ssl3] [*13] 42 bad_certificate [RFC2246] 43 unsupported_certificate [RFC2246] 44 certificate_revoked [RFC2246] 45 certificate_expired [RFC2246] 46 certificate_unknown [RFC2246] 47 illegal_parameter [RFC2246] 48 unknown_ca [RFC2246] 49 access_denied [RFC2246] 50 decode_error [RFC2246] 51 decrypt_error [RFC2246] 60 export_restriction [RFC2246] 70 protocol_version [RFC2246] 71 insufficient_security [RFC2246] 80 internal_error [RFC2246] 90 user_canceled [RFC2246] 100 no_renegotiation [RFC2246] 110 unsupported_extension [RFC3546] [*13] 111 certificate_unobtainable [RFC3546] [*13] 112 unrecognized_name [RFC3546] [*13] 113 bad_certificate_status_response [RFC3546] [*13] 114 bad_certificate_hash_value [RFC3546] 115 unknown_psk_identity [psk-09] 120 [srp-10] [*13] 121 [srp-10] 122 [srp-10] 208 [ia-01] 209 [ia-01] TLS HANDSHAKE TYPES =================== 0 hello_request [RFC2246] 1 client_hello [RFC2246] 2 server_hello [RFC2246] 3 hello_verify_request [dtls-05] [*5] 4 [*5] 11 certificate [RFC2246] 12 server_key_exchange [RFC2246] 13 certificate_request [RFC2246] 14 server_hello_done [RFC2246] 15 certificate_verify [RFC2246] 16 client_key_exchange [RFC2246] 20 finished [RFC2246] 21 certificate_url [RFC3546] 22 certificate_status [RFC3546] 78 [*6] 79 [*6] TLS EXTENSION TYPES =================== 0 server_name [RFC3546] 1 max_fragment_length [RFC3546] 2 client_certificate_url [RFC3546] 3 trusted_ca_keys [RFC3546] 4 truncated_hmac [RFC3546] 5 status_request [RFC3546] 6 [srp-10] [*5] [*13] [*17] 7 [openpgp-06] [*5] [*17] 8 [express-01] 9 [prf-00] [*4] 10 [ecc-12] 11 [ecc-12] 35 [ticket-05] [fast-00] 37703 [ia-01] 60000 [*3] REFERENCES AND NOTES ==================== [ecc-12] Simon Blake-Wilson, Nelson Bolyard, Vipul Gupta, Chris Hawk, and Bodo Moeller, "ECC Cipher Suites For TLS", draft-ietf-tls-ecc-12, October 2005. [openpgp-06] Nikos Mavroyanopoulos, "Using OpenPGP keys for TLS authentication", draft-ietf-tls-openpgp-keys-06, January 2005. [srp-10] David Taylor, Tom Wu, Nikos Mavroyanopoulos, and Trevor Perrin, "Using SRP for TLS Authentication", draft-ietf-tls-srp-10, October 2005. [psk-09] Pasi Eronen and Hannes Tschofenig, "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", draft-ietf-tls-psk-09, June 2005. [cptls-02] Grigorij Chudov and Serguei Leontiev, "GOST Ciphersuites for Transport Layer Security", draft-chudov-cryptopro-cptls-02, September 2005. [express-01] Mohamad Badra, Ahmed Serhrouchni, and Pascal Urien, "TLS Express", draft-badra-tls-express-01, February 2005. [fast-00] Nancy Cam-Winget, David McGrew, Joseph Salowey, and Hao Zhou, "EAP Flexible Authentication via Secure Tunneling (EAP-FAST)", draft-cam-winget-eap-fast-00, February 2004. [ia-01] Paul Funk, Simon Blake-Wilson, Ned Smith, Hannes Tschofenig, and Thomas Hardjono, "TLS Inner Application Extension (TLS/IA)", draft-funk-tls-inner-application- extension-01, February 2005. [ssl3] Alan O. Freier, Philip Karlton, and Paul C. Kocher, "The SSL Protocol Version 3.0", expired I-D (draft-freier-ssl-version3-02.txt), November 1996. [dtls-05] Eric Rescorla and Nagendra Modadugu, "Datagram Transport Layer Security", draft-rescorla-dtls-05, June 2005. [sign-00] Ibrahim Hajjeh, Ahmed Serhrouchni, Mohamad Badra, and Omar Cherkaoui, "TLS Sign", draft-hajjeh-tls-sign-00, January 2005. [prf-00] Grigorij Chudov, "Hash/PRF negotiation in TLS using TLS extensions", draft-chudov-cryptopro-tlsprfneg-00, May 2005. [56bit] John Banes and Richard Harrington, "56-bit Export Cipher Suites For TLS", expired Internet-Draft draft-ietf-tls-56-bit-ciphersuites-01.txt, July 2001 (and version -00, January 1999). Although this document was never published as RFC, these ciphersuites are implemented by several vendors. Draft version -00 contains ciphersuites 0x60..63; version -01 includes 0x62..66. [fips] FIPS SSL CipherSuites, http://www.mozilla.org/projects/ security/pki/nss/ssl/fips-ssl-ciphersuites.html [mtls-00] Mohamad Badra, Ibrahim Hajjeh, "TLS Multiplexing", draft-badra-hajjeh-mtls-00, October 2005. [*1] This number was previously used for SSL_FORTEZZA_KEA_WITH_RC4_128_SHA in [ssl3] [*2] Used by some OpenSSL development snapshots and NSS 3.8/3.9, obsoleted by [ecc-12]. [*3] This number was used by an earlier version of [cptls-02], but presumably this work has been superceded by [prf-00], and the number can be reused for other purposes. [*4] This number was used in draft-badra-tls-key-exchange-00 (Mohamad Badra, Omar Cherkaoui, Ibrahim Hajjeh, and Ahmed Serhrouchni, "Pre-Shared-Key key Exchange methods for TLS", August 2004), but presumably this work has been superceded by [psk-09] and the number can be reused for other purposes. [*5] These numbers were used in draft-shacham-tls-fast-track-00 (Hovav Shacham and Dan Boneh, "TLS Fast-Track Session Establishment", September 2001), but presumably this work is dead, and the numbers can be used for other purposes. [*6] These numbers were used in older versions of [ia-01]. [*7] These numbers were used by an older, obsolete version of draft-lee-tls-seed (now RFC4162). [*8] These numbers were used in draft-ietf-tls-seedhas-00 (Joo-won Jung and ChangHee Lee, "TLS Extension for SEED and HAS-160", July 2000), but presumably this work is dead, and the numbers can be used for other purposes. [*9] This number was in draft-ietf-tls-delegation-01 (Keith Jackson, Steven Tuecke, and Doug Engert, "TLS Delegation Protocol", February 2002), but presumably this work is dead and the number can be reused for other purposes. [*10] These numbers were used in draft-ietf-tls-misty1-01 (Hidenori Ohta and Hirosato Tsuji, "Addition of MISTY1 to TLS", March 2001), but presumably this work is dead and the numbers can be reused for other purposes. [*11] These numbers were used in draft-ietf-tls-ntru-00 (Ari Singer, "NTRU Cipher Suites for TLS", July 2001), but presumably this work is dead and the numbers can be reused for other purposes. [*12] These numbers were used in draft-ietf-tls-ntru-00, but presumably this work is dead, and and many of the numbers are widely used for other purposes anyway. [*13] These numbers were used in draft-ietf-tls-pathsec-00 (Joseph Hui, "TLS Pathsec Protocol", September 2001), but presumably this work is dead, and the numbers can be used for other purposes. [*14] These numbers were used in draft-ietf-tls-openpgp-02 (Will Price and Michael Elkins, "Extensions to TLS for OpenPGP keys", February 2002), but presumably this work is dead, and the numbers can be used for other purposes. [*15] These numbers were used in draft-madhu-tls-spki-00 (H. S. Madhusudhana and V. R. Ramachandran, "SPKI Certificate Integration with Transport Layer Security (TLS) for Client Authentication and Authorization", July 2001), but presumably this work is dead, and the numbers can be used for other purposes. [*16] These numbers were used in draft-ietf-tls-kerb-01 (Matthew Hur, Joseph Salowey, and Ari Medvinsky, "Kerberos Cipher Suites in Transport Layer Security (TLS)", November 2001), but presumably this work is dead, and the numbers can be used for other purposes. [*17] These numbers were used in older versions of [ecc-12].