Skip to content

FIPS Requirements

Jump to bottom
Ivan Ristic edited this page Sep 30, 2013 · 5 revisions

This page documents the FIPS criteria, as used by SSL Labs.

  • Trusted certificate
  • SSL 2.0 and SSL 3.0 not supported
  • Strong private key
    • 1024+ bits if RSA (will change to 2048+ in the near future)
    • 1024+ bits if DSA (will change to 2048+ in the near future)
    • 160+ bits if EC
  • Only FIPS-approved suites enabled (see the list below)

Cipher suites

Sources:

  1. FIPS 140 Compliant Mode for SunJSSE
  2. Cipher Suites in Schannel
  3. NIST Special Publication 800-57: Recommendation for Key Management: Part 3: Application-Specific Key Management Guidance (Tables 4.1, 4.2, 4.3, and 4.4)
  4. OpenSSL FIPS suites (openssl ciphers -V FIPS, using OpenSSL 1.0.1e)

The following suites are considered to be FIPS compliant by the SSL Labs assessment code:

  • 0x02 - TLS_RSA_WITH_NULL_SHA [3]
  • 0x0a - TLS_RSA_WITH_3DES_EDE_CBC_SHA [1, 2, 3, 4]
  • 0x0d - TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [3]
  • 0x10 - TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [3]
  • 0x13 - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [2, 3, 4]
  • 0x16 - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0x1b - [4]
  • 0x2f - TLS_RSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0x30 - TLS_DH_DSS_WITH_AES_128_CBC_SHA [3]
  • 0x31 - TLS_DH_RSA_WITH_AES_128_CBC_SHA [3]
  • 0x32 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA [1, 3, 4]
  • 0x34 - [4]
  • 0x35 - TLS_RSA_WITH_AES_256_CBC_SHA [1, 2, 3, 4]
  • 0x36 - TLS_DH_DSS_WITH_AES_256_CBC_SHA [3]
  • 0x37 - TLS_DH_RSA_WITH_AES_256_CBC_SHA [3]
  • 0x38 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA [1, 2, 3, 4]
  • 0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA [1, 3, 4]
  • 0x3a - [4]
  • 0x3c - TLS_RSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0x3d - TLS_RSA_WITH_AES_256_CBC_SHA256 [2, 3, 4]
  • 0x3e - TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [3]
  • 0x3f - TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [3]
  • 0x40 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0x67 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [3, 4]
  • 0x68 - TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [3]
  • 0x69 - TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [3]
  • 0x6a - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [2, 3, 4]
  • 0x6b - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [3, 4]
  • 0x6c - [4]
  • 0x6d - [4]
  • 0x8b - TLS_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x8c - TLS_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x8d - TLS_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x8f - TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x90 - TLS_DHE_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x91 - TLS_DHE_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x93 - TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x94 - TLS_RSA_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x95 - TLS_RSA_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x9c - [4]
  • 0x9d - [4]
  • 0x9e - [4]
  • 0x9f - [4]
  • 0xa2 - [4]
  • 0xa3 - [4]
  • 0xa6 - [4]
  • 0xa7 - [4]
  • 0xc003 - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc004 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA [1, 3, 4]
  • 0xc005 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA [1, 4]
  • 0xc008 - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0xc00a - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [1, 2, 4]
  • 0xc00d - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc00e - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA [1, 4]
  • 0xc00f - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA [1, 4]
  • 0xc012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0xc014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [1, 2, 4]
  • 0xc017 - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [1, 4]
  • 0xc018 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA [1, 4]
  • 0xc019 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA [1, 4]
  • 0xc023 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0xc024 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [2, 3, 4]
  • 0xc025 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [3, 4]
  • 0xc026 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [3, 4]
  • 0xc027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0xc028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [3, 4]
  • 0xc029 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 [3, 4]
  • 0xc02a - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 [3, 4]
  • 0xc02b - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [2, 3, 4]
  • 0xc02c - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [2, 3, 4]
  • 0xc02d - [4]
  • 0xc02e - [4]
  • 0xc02f - [4]
  • 0xc030 - [4]
  • 0xc031 - [4]
  • 0xc032 - [4]
Clone this wiki locally