Skip to content

FIPS Requirements

Jump to bottom
ivanr edited this page Dec 19, 2012 · 5 revisions

This page documents the FIPS criteria, as used by SSL Labs.

  • Trusted certificate
  • SSL 2.0 and SSL 3.0 not supported
  • Strong private key
    • 1024+ bits if RSA (will change to 2048+ in the near future)
    • 1024+ bits if DSA (will change to 2048+ in the near future)
    • 160+ bits if EC
  • Only FIPS-approved suites enabled (see the list below)

Cipher suites

Sources:

  1. FIPS 140 Compliant Mode for SunJSSE
  2. Cipher Suites in Schannel
  3. NIST Special Publication 800-57: Recommendation for Key Management: Part 3: Application-Specific Key Management Guidance (Tables 4.1, 4.2, 4.3, and 4.4)

The following suites are considered to be FIPS compliant by the SSL Labs assessment code:

  • 0x02 - TLS_RSA_WITH_NULL_SHA [3]
  • 0x0a - TLS_RSA_WITH_3DES_EDE_CBC_SHA [1, 2, 3]
  • 0x0d - TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [3]
  • 0x10 - TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [3]
  • 0x13 - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [2, 3]
  • 0x16 - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3]
  • 0x2f - TLS_RSA_WITH_AES_128_CBC_SHA [1, 2, 3]
  • 0x30 - TLS_DH_DSS_WITH_AES_128_CBC_SHA [3]
  • 0x31 - TLS_DH_RSA_WITH_AES_128_CBC_SHA [3]
  • 0x32 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA [1, 2, 3]
  • 0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA [1, 3]
  • 0x35 - TLS_RSA_WITH_AES_256_CBC_SHA [1, 2, 3]
  • 0x36 - TLS_DH_DSS_WITH_AES_256_CBC_SHA [3]
  • 0x37 - TLS_DH_RSA_WITH_AES_256_CBC_SHA [3]
  • 0x38 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA [1, 2, 3]
  • 0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA [1, 3]
  • 0x3c - TLS_RSA_WITH_AES_128_CBC_SHA256 [2, 3]
  • 0x3d - TLS_RSA_WITH_AES_256_CBC_SHA256 [2, 3]
  • 0x3e - TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [3]
  • 0x3f - TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [3]
  • 0x40 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [2, 3]
  • 0x67 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [3]
  • 0x68 - TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [3]
  • 0x69 - TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [3]
  • 0x6a - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [2, 3]
  • 0x6b - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [3]
  • 0x8b - TLS_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x8c - TLS_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x8d - TLS_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x8f - TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x90 - TLS_DHE_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x91 - TLS_DHE_PSK_WITH_AES_256_CBC_SHA [3]
  • 0x93 - TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [3]
  • 0x94 - TLS_RSA_PSK_WITH_AES_128_CBC_SHA [3]
  • 0x95 - TLS_RSA_PSK_WITH_AES_256_CBC_SHA [3]
  • 0xc003 - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3]
  • 0xc004 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA [1, 3]
  • 0xc005 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA [1]
  • 0xc008 - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA [1, 3]
  • 0xc009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [1, 2, 3]
  • 0xc00a - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [1, 2]
  • 0xc00d - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA [1, 3]
  • 0xc00e - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA [1]
  • 0xc00f - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA [1]
  • 0xc012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [1, 3]
  • 0xc013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [1, 2, 3]
  • 0xc014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [1, 2]
  • 0xc017 - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [1]
  • 0xc018 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA [1]
  • 0xc019 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA [1]
  • 0xc023 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [2, 3]
  • 0xc024 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [2, 3]
  • 0xc025 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [3]
  • 0xc026 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [3]
  • 0xc027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [2, 3]
  • 0xc028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [3]
  • 0xc029 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 [3]
  • 0xc02a - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 [3]
  • 0xc02b - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [2, 3]
  • 0xc02c - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [2, 3]
Clone this wiki locally