-
Notifications
You must be signed in to change notification settings - Fork 225
FIPS Requirements
Ivan Ristic edited this page Sep 30, 2013
·
5 revisions
This page documents the FIPS criteria, as used by SSL Labs.
- Trusted certificate
- SSL 2.0 and SSL 3.0 not supported
- Strong private key
- 1024+ bits if RSA (will change to 2048+ in the near future)
- 1024+ bits if DSA (will change to 2048+ in the near future)
- 160+ bits if EC
- Only FIPS-approved suites enabled (see the list below)
Sources:
- FIPS 140 Compliant Mode for SunJSSE
- Cipher Suites in Schannel
- NIST Special Publication 800-57: Recommendation for Key Management: Part 3: Application-Specific Key Management Guidance (Tables 4.1, 4.2, 4.3, and 4.4)
- OpenSSL FIPS suites (openssl ciphers -V FIPS, using OpenSSL 1.0.1e)
The following suites are considered to be FIPS compliant by the SSL Labs assessment code:
- 0x02 - TLS_RSA_WITH_NULL_SHA [3]
- 0x0a - TLS_RSA_WITH_3DES_EDE_CBC_SHA [1, 2, 3, 4]
- 0x0d - TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [3]
- 0x10 - TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [3]
- 0x13 - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [2, 3, 4]
- 0x16 - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
- 0x1b - [4]
- 0x2f - TLS_RSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
- 0x30 - TLS_DH_DSS_WITH_AES_128_CBC_SHA [3]
- 0x31 - TLS_DH_RSA_WITH_AES_128_CBC_SHA [3]
- 0x32 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
- 0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA [1, 3, 4]
- 0x34 - [4]
- 0x35 - TLS_RSA_WITH_AES_256_CBC_SHA [1, 2, 3, 4]
- 0x36 - TLS_DH_DSS_WITH_AES_256_CBC_SHA [3]
- 0x37 - TLS_DH_RSA_WITH_AES_256_CBC_SHA [3]
- 0x38 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA [1, 2, 3, 4]
- 0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA [1, 3, 4]
- 0x3a - [4]
- 0x3c - TLS_RSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
- 0x3d - TLS_RSA_WITH_AES_256_CBC_SHA256 [2, 3, 4]
- 0x3e - TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [3]
- 0x3f - TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [3]
- 0x40 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [2, 3, 4]
- 0x67 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [3, 4]
- 0x68 - TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [3]
- 0x69 - TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [3]
- 0x6a - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [2, 3, 4]
- 0x6b - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [3, 4]
- 0x6c - [4]
- 0x6d - [4]
- 0x8b - TLS_PSK_WITH_3DES_EDE_CBC_SHA [3]
- 0x8c - TLS_PSK_WITH_AES_128_CBC_SHA [3]
- 0x8d - TLS_PSK_WITH_AES_256_CBC_SHA [3]
- 0x8f - TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [3]
- 0x90 - TLS_DHE_PSK_WITH_AES_128_CBC_SHA [3]
- 0x91 - TLS_DHE_PSK_WITH_AES_256_CBC_SHA [3]
- 0x93 - TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [3]
- 0x94 - TLS_RSA_PSK_WITH_AES_128_CBC_SHA [3]
- 0x95 - TLS_RSA_PSK_WITH_AES_256_CBC_SHA [3]
- 0x9c - [4]
- 0x9d - [4]
- 0x9e - [4]
- 0x9f - [4]
- 0xa2 - [4]
- 0xa3 - [4]
- 0xa6 - [4]
- 0xa7 - [4]
- 0xc003 - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
- 0xc004 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA [1, 3, 4]
- 0xc005 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA [1, 4]
- 0xc008 - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
- 0xc009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
- 0xc00a - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [1, 2, 4]
- 0xc00d - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
- 0xc00e - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA [1, 4]
- 0xc00f - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA [1, 4]
- 0xc012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
- 0xc013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
- 0xc014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [1, 2, 4]
- 0xc017 - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [1, 4]
- 0xc018 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA [1, 4]
- 0xc019 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA [1, 4]
- 0xc023 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
- 0xc024 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [2, 3, 4]
- 0xc025 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [3, 4]
- 0xc026 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [3, 4]
- 0xc027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
- 0xc028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [3, 4]
- 0xc029 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 [3, 4]
- 0xc02a - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 [3, 4]
- 0xc02b - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [2, 3, 4]
- 0xc02c - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [2, 3, 4]
- 0xc02d - [4]
- 0xc02e - [4]
- 0xc02f - [4]
- 0xc030 - [4]
- 0xc031 - [4]
- 0xc032 - [4]