Supported Cipher Suites
When FIPS level 1 support is enabled, only TLSv1.0, v1.1, v1.2 and AES256, 3DES and AES128 are allowed. The order of the cipher suites is not dependent on the SSL hardware acceleration module since hardware acceleration is not used when FIPS level 1 support is enabled.
When FIPS level 1 support is enabled, the following settings are automatically configured:
- In the SSL Options window:
- Under Allowed SSL and TLS Version, the Accept only TLS option is selected. All other options under this section are disabled.
- Under Allowed Encryption Strength, the Maximize Compatibility (Medium Ciphers) option is selected. Only FIPS approved ciphers are selected.
- Under Encryption Strength Option, the Do not allow connections from browsers that only accept weaker ciphers option is selected.
- SSL hardware acceleration is disabled. IPsec hardware acceleration is not affected by the FIPS level 1 support being enabled.
The first four cipher suites in the below table are given preference due to the requirements in RFC 6460. The first two cipher suites meeting the requirement for Suite B Profile for TLS 1.2. The next two meeting the requirement for Suite B Transitional Profile for TLS 1.0 and 1.1.
|
Cipher Suite |
Protocol |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
Cipher Suite |
Protocol |
|---|---|
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLSv1.2 |
|
TLS_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
TLS1.0 and later |
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
TLS1.0 and later |
|
Cipher Suite |
Protocol |
|---|---|
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLSv1.2 |
|
TLS_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
TLS1.0 and later |
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
TLS1.0 and later |
|
Cipher Suite |
Protocol |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLSv1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
TLSv1.2 |
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
TLS1.0 and later |