Skip to content

FIPS Requirements

Jump to bottom
Ivan Ristić edited this page Jun 16, 2014 · 5 revisions

This page documents the FIPS criteria, as used by SSL Labs.

  • Trusted certificate
  • SSL 2.0 and SSL 3.0 not supported
  • Strong private key
    • 1024+ bits if RSA (will change to 2048+ in the near future)
    • 1024+ bits if DSA (will change to 2048+ in the near future)
    • 160+ bits if EC
  • Only FIPS-approved suites enabled (see the list below)

Cipher suites

Sources:

  1. FIPS 140 Compliant Mode for SunJSSE
  2. Cipher Suites in Schannel
  3. NIST Special Publication 800-57: Recommendation for Key Management: Part 3: Application-Specific Key Management Guidance (Tables 4.1, 4.2, 4.3, and 4.4)
  4. OpenSSL FIPS suites (openssl ciphers -V FIPS, using OpenSSL 1.0.1e)
  5. Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2

The following suites are considered to be FIPS compliant by the SSL Labs assessment code:

  • 0x02 - TLS_RSA_WITH_NULL_SHA [3]
  • 0x0a - TLS_RSA_WITH_3DES_EDE_CBC_SHA [1, 2, 3, 4]
  • 0x0d - TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [3]
  • 0x10 - TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [3]
  • 0x13 - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [2, 3, 4]
  • 0x16 - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0x1b - [4]
  • 0x2f - TLS_RSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0x30 - TLS_DH_DSS_WITH_AES_128_CBC_SHA [3]
  • 0x31 - TLS_DH_RSA_WITH_AES_128_CBC_SHA [3]
  • 0x32 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA [1, 3, 4]
  • 0x34 - [4]
  • 0x35 - TLS_RSA_WITH_AES_256_CBC_SHA [1, 2, 3, 4]
  • 0x36 - TLS_DH_DSS_WITH_AES_256_CBC_SHA [3]
  • 0x37 - TLS_DH_RSA_WITH_AES_256_CBC_SHA [3]
  • 0x38 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA [1, 2, 3, 4]
  • 0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA [1, 3, 4]
  • 0x3a - [4]
  • 0x3c - TLS_RSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0x3d - TLS_RSA_WITH_AES_256_CBC_SHA256 [2, 3, 4]
  • 0x3e - TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [3]
  • 0x3f - TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [3]
  • 0x40 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0x67 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [3, 4]
  • 0x68 - TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [3]
  • 0x69 - TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [3]
  • 0x6a - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [2, 3, 4]
  • 0x6b - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [3, 4]
  • 0x6c - [4]
  • 0x6d - [4]
  • 0x8b - TLS_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x8c - TLS_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x8d - TLS_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x8f - TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x90 - TLS_DHE_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x91 - TLS_DHE_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x93 - TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x94 - TLS_RSA_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x95 - TLS_RSA_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x9c - [4][5]
  • 0x9d - [4][5]
  • 0x9e - [4][5]
  • 0x9f - [4][5]
  • 0xa2 - [4]
  • 0xa3 - [4]
  • 0xa6 - [4]
  • 0xa7 - [4]
  • 0xc003 - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc004 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA [1, 3, 4]
  • 0xc005 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA [1, 4]
  • 0xc008 - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0xc00a - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [1, 2, 4]
  • 0xc00d - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc00e - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA [1, 4]
  • 0xc00f - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA [1, 4]
  • 0xc012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3, 4]
  • 0xc013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [1, 2, 3, 4]
  • 0xc014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [1, 2, 4]
  • 0xc017 - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [1, 4]
  • 0xc018 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA [1, 4]
  • 0xc019 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA [1, 4]
  • 0xc023 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0xc024 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [2, 3, 4]
  • 0xc025 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [3, 4]
  • 0xc026 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [3, 4]
  • 0xc027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [2, 3, 4]
  • 0xc028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [3, 4]
  • 0xc029 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 [3, 4]
  • 0xc02a - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 [3, 4]
  • 0xc02b - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [2, 3, 4]
  • 0xc02c - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [2, 3, 4]
  • 0xc02d - [4]
  • 0xc02e - [4]
  • 0xc02f - [4]
  • 0xc030 - [4]
  • 0xc031 - [4]
  • 0xc032 - [4]
Clone this wiki locally