1# Ciphers 2 3With curl's options `CURLOPT_SSL_CIPHER_LIST` and `--ciphers` users can 4control which ciphers to consider when negotiating TLS connections. 5 6The names of the known ciphers differ depending on which TLS backend that 7libcurl was built to use. This is an attempt to list known cipher names. 8 9## OpenSSL 10 11(based on [OpenSSL docs](https://www.openssl.org/docs/man1.1.0/apps/ciphers.html)) 12 13### SSL3 cipher suites 14 15`NULL-MD5` 16`NULL-SHA` 17`RC4-MD5` 18`RC4-SHA` 19`IDEA-CBC-SHA` 20`DES-CBC3-SHA` 21`DH-DSS-DES-CBC3-SHA` 22`DH-RSA-DES-CBC3-SHA` 23`DHE-DSS-DES-CBC3-SHA` 24`DHE-RSA-DES-CBC3-SHA` 25`ADH-RC4-MD5` 26`ADH-DES-CBC3-SHA` 27 28### TLS v1.0 cipher suites 29 30`NULL-MD5` 31`NULL-SHA` 32`RC4-MD5` 33`RC4-SHA` 34`IDEA-CBC-SHA` 35`DES-CBC3-SHA` 36`DHE-DSS-DES-CBC3-SHA` 37`DHE-RSA-DES-CBC3-SHA` 38`ADH-RC4-MD5` 39`ADH-DES-CBC3-SHA` 40 41### AES ciphersuites from RFC3268, extending TLS v1.0 42 43`AES128-SHA` 44`AES256-SHA` 45`DH-DSS-AES128-SHA` 46`DH-DSS-AES256-SHA` 47`DH-RSA-AES128-SHA` 48`DH-RSA-AES256-SHA` 49`DHE-DSS-AES128-SHA` 50`DHE-DSS-AES256-SHA` 51`DHE-RSA-AES128-SHA` 52`DHE-RSA-AES256-SHA` 53`ADH-AES128-SHA` 54`ADH-AES256-SHA` 55 56### SEED ciphersuites from RFC4162, extending TLS v1.0 57 58`SEED-SHA` 59`DH-DSS-SEED-SHA` 60`DH-RSA-SEED-SHA` 61`DHE-DSS-SEED-SHA` 62`DHE-RSA-SEED-SHA` 63`ADH-SEED-SHA` 64 65### GOST ciphersuites, extending TLS v1.0 66 67`GOST94-GOST89-GOST89` 68`GOST2001-GOST89-GOST89` 69`GOST94-NULL-GOST94` 70`GOST2001-NULL-GOST94` 71 72### Elliptic curve cipher suites 73 74`ECDHE-RSA-NULL-SHA` 75`ECDHE-RSA-RC4-SHA` 76`ECDHE-RSA-DES-CBC3-SHA` 77`ECDHE-RSA-AES128-SHA` 78`ECDHE-RSA-AES256-SHA` 79`ECDHE-ECDSA-NULL-SHA` 80`ECDHE-ECDSA-RC4-SHA` 81`ECDHE-ECDSA-DES-CBC3-SHA` 82`ECDHE-ECDSA-AES128-SHA` 83`ECDHE-ECDSA-AES256-SHA` 84`AECDH-NULL-SHA` 85`AECDH-RC4-SHA` 86`AECDH-DES-CBC3-SHA` 87`AECDH-AES128-SHA` 88`AECDH-AES256-SHA` 89 90### TLS v1.2 cipher suites 91 92`NULL-SHA256` 93`AES128-SHA256` 94`AES256-SHA256` 95`AES128-GCM-SHA256` 96`AES256-GCM-SHA384` 97`DH-RSA-AES128-SHA256` 98`DH-RSA-AES256-SHA256` 99`DH-RSA-AES128-GCM-SHA256` 100`DH-RSA-AES256-GCM-SHA384` 101`DH-DSS-AES128-SHA256` 102`DH-DSS-AES256-SHA256` 103`DH-DSS-AES128-GCM-SHA256` 104`DH-DSS-AES256-GCM-SHA384` 105`DHE-RSA-AES128-SHA256` 106`DHE-RSA-AES256-SHA256` 107`DHE-RSA-AES128-GCM-SHA256` 108`DHE-RSA-AES256-GCM-SHA384` 109`DHE-DSS-AES128-SHA256` 110`DHE-DSS-AES256-SHA256` 111`DHE-DSS-AES128-GCM-SHA256` 112`DHE-DSS-AES256-GCM-SHA384` 113`ECDHE-RSA-AES128-SHA256` 114`ECDHE-RSA-AES256-SHA384` 115`ECDHE-RSA-AES128-GCM-SHA256` 116`ECDHE-RSA-AES256-GCM-SHA384` 117`ECDHE-ECDSA-AES128-SHA256` 118`ECDHE-ECDSA-AES256-SHA384` 119`ECDHE-ECDSA-AES128-GCM-SHA256` 120`ECDHE-ECDSA-AES256-GCM-SHA384` 121`ADH-AES128-SHA256` 122`ADH-AES256-SHA256` 123`ADH-AES128-GCM-SHA256` 124`ADH-AES256-GCM-SHA384` 125`AES128-CCM` 126`AES256-CCM` 127`DHE-RSA-AES128-CCM` 128`DHE-RSA-AES256-CCM` 129`AES128-CCM8` 130`AES256-CCM8` 131`DHE-RSA-AES128-CCM8` 132`DHE-RSA-AES256-CCM8` 133`ECDHE-ECDSA-AES128-CCM` 134`ECDHE-ECDSA-AES256-CCM` 135`ECDHE-ECDSA-AES128-CCM8` 136`ECDHE-ECDSA-AES256-CCM8` 137 138### Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2 139 140`ECDHE-ECDSA-CAMELLIA128-SHA256` 141`ECDHE-ECDSA-CAMELLIA256-SHA384` 142`ECDHE-RSA-CAMELLIA128-SHA256` 143`ECDHE-RSA-CAMELLIA256-SHA384` 144 145## NSS 146 147### Totally insecure 148 149`rc4` 150`rc4-md5` 151`rc4export` 152`rc2` 153`rc2export` 154`des` 155`desede3` 156 157### SSL3/TLS cipher suites 158 159`rsa_rc4_128_md5` 160`rsa_rc4_128_sha` 161`rsa_3des_sha` 162`rsa_des_sha` 163`rsa_rc4_40_md5` 164`rsa_rc2_40_md5` 165`rsa_null_md5` 166`rsa_null_sha` 167`fips_3des_sha` 168`fips_des_sha` 169`fortezza` 170`fortezza_rc4_128_sha` 171`fortezza_null` 172 173### TLS 1.0 Exportable 56-bit Cipher Suites 174 175`rsa_des_56_sha` 176`rsa_rc4_56_sha` 177 178### AES ciphers 179 180`dhe_dss_aes_128_cbc_sha` 181`dhe_dss_aes_256_cbc_sha` 182`dhe_rsa_aes_128_cbc_sha` 183`dhe_rsa_aes_256_cbc_sha` 184`rsa_aes_128_sha` 185`rsa_aes_256_sha` 186 187### ECC ciphers 188 189`ecdh_ecdsa_null_sha` 190`ecdh_ecdsa_rc4_128_sha` 191`ecdh_ecdsa_3des_sha` 192`ecdh_ecdsa_aes_128_sha` 193`ecdh_ecdsa_aes_256_sha` 194`ecdhe_ecdsa_null_sha` 195`ecdhe_ecdsa_rc4_128_sha` 196`ecdhe_ecdsa_3des_sha` 197`ecdhe_ecdsa_aes_128_sha` 198`ecdhe_ecdsa_aes_256_sha` 199`ecdh_rsa_null_sha` 200`ecdh_rsa_128_sha` 201`ecdh_rsa_3des_sha` 202`ecdh_rsa_aes_128_sha` 203`ecdh_rsa_aes_256_sha` 204`ecdhe_rsa_null` 205`ecdhe_rsa_rc4_128_sha` 206`ecdhe_rsa_3des_sha` 207`ecdhe_rsa_aes_128_sha` 208`ecdhe_rsa_aes_256_sha` 209`ecdh_anon_null_sha` 210`ecdh_anon_rc4_128sha` 211`ecdh_anon_3des_sha` 212`ecdh_anon_aes_128_sha` 213`ecdh_anon_aes_256_sha` 214 215### HMAC-SHA256 cipher suites 216 217`rsa_null_sha_256` 218`rsa_aes_128_cbc_sha_256` 219`rsa_aes_256_cbc_sha_256` 220`dhe_rsa_aes_128_cbc_sha_256` 221`dhe_rsa_aes_256_cbc_sha_256` 222`ecdhe_ecdsa_aes_128_cbc_sha_256` 223`ecdhe_rsa_aes_128_cbc_sha_256` 224 225### AES GCM cipher suites in RFC 5288 and RFC 5289 226 227`rsa_aes_128_gcm_sha_256` 228`dhe_rsa_aes_128_gcm_sha_256` 229`dhe_dss_aes_128_gcm_sha_256` 230`ecdhe_ecdsa_aes_128_gcm_sha_256` 231`ecdh_ecdsa_aes_128_gcm_sha_256` 232`ecdhe_rsa_aes_128_gcm_sha_256` 233`ecdh_rsa_aes_128_gcm_sha_256` 234 235### cipher suites using SHA384 236 237`rsa_aes_256_gcm_sha_384` 238`dhe_rsa_aes_256_gcm_sha_384` 239`dhe_dss_aes_256_gcm_sha_384` 240`ecdhe_ecdsa_aes_256_sha_384` 241`ecdhe_rsa_aes_256_sha_384` 242`ecdhe_ecdsa_aes_256_gcm_sha_384` 243`ecdhe_rsa_aes_256_gcm_sha_384` 244 245### chacha20-poly1305 cipher suites 246 247`ecdhe_rsa_chacha20_poly1305_sha_256` 248`ecdhe_ecdsa_chacha20_poly1305_sha_256` 249`dhe_rsa_chacha20_poly1305_sha_256` 250 251## GSKit 252 253Ciphers are internally defined as numeric codes (https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm), 254but libcurl maps them to the following case-insensitive names. 255 256### SSL2 cipher suites (insecure: disabled by default) 257 258`rc2-md5` 259`rc4-md5` 260`exp-rc2-md5` 261`exp-rc4-md5` 262`des-cbc-md5` 263`des-cbc3-md5` 264 265### SSL3 cipher suites 266 267`null-md5` 268`null-sha` 269`rc4-md5` 270`rc4-sha` 271`exp-rc2-cbc-md5` 272`exp-rc4-md5` 273`exp-des-cbc-sha` 274`des-cbc3-sha` 275 276### TLS v1.0 cipher suites 277 278`null-md5` 279`null-sha` 280`rc4-md5` 281`rc4-sha` 282`exp-rc2-cbc-md5` 283`exp-rc4-md5` 284`exp-des-cbc-sha` 285`des-cbc3-sha` 286`aes128-sha` 287`aes256-sha` 288 289### TLS v1.1 cipher suites 290 291`null-md5` 292`null-sha` 293`rc4-md5` 294`rc4-sha` 295`exp-des-cbc-sha` 296`des-cbc3-sha` 297`aes128-sha` 298`aes256-sha` 299 300### TLS v1.2 cipher suites 301 302`null-md5` 303`null-sha` 304`null-sha256` 305`rc4-md5` 306`rc4-sha` 307`des-cbc3-sha` 308`aes128-sha` 309`aes256-sha` 310`aes128-sha256` 311`aes256-sha256` 312`aes128-gcm-sha256` 313`aes256-gcm-sha384` 314 315## WolfSSL 316 317`RC4-SHA`, 318`RC4-MD5`, 319`DES-CBC3-SHA`, 320`AES128-SHA`, 321`AES256-SHA`, 322`NULL-SHA`, 323`NULL-SHA256`, 324`DHE-RSA-AES128-SHA`, 325`DHE-RSA-AES256-SHA`, 326`DHE-PSK-AES256-GCM-SHA384`, 327`DHE-PSK-AES128-GCM-SHA256`, 328`PSK-AES256-GCM-SHA384`, 329`PSK-AES128-GCM-SHA256`, 330`DHE-PSK-AES256-CBC-SHA384`, 331`DHE-PSK-AES128-CBC-SHA256`, 332`PSK-AES256-CBC-SHA384`, 333`PSK-AES128-CBC-SHA256`, 334`PSK-AES128-CBC-SHA`, 335`PSK-AES256-CBC-SHA`, 336`DHE-PSK-AES128-CCM`, 337`DHE-PSK-AES256-CCM`, 338`PSK-AES128-CCM`, 339`PSK-AES256-CCM`, 340`PSK-AES128-CCM-8`, 341`PSK-AES256-CCM-8`, 342`DHE-PSK-NULL-SHA384`, 343`DHE-PSK-NULL-SHA256`, 344`PSK-NULL-SHA384`, 345`PSK-NULL-SHA256`, 346`PSK-NULL-SHA`, 347`HC128-MD5`, 348`HC128-SHA`, 349`HC128-B2B256`, 350`AES128-B2B256`, 351`AES256-B2B256`, 352`RABBIT-SHA`, 353`NTRU-RC4-SHA`, 354`NTRU-DES-CBC3-SHA`, 355`NTRU-AES128-SHA`, 356`NTRU-AES256-SHA`, 357`AES128-CCM-8`, 358`AES256-CCM-8`, 359`ECDHE-ECDSA-AES128-CCM`, 360`ECDHE-ECDSA-AES128-CCM-8`, 361`ECDHE-ECDSA-AES256-CCM-8`, 362`ECDHE-RSA-AES128-SHA`, 363`ECDHE-RSA-AES256-SHA`, 364`ECDHE-ECDSA-AES128-SHA`, 365`ECDHE-ECDSA-AES256-SHA`, 366`ECDHE-RSA-RC4-SHA`, 367`ECDHE-RSA-DES-CBC3-SHA`, 368`ECDHE-ECDSA-RC4-SHA`, 369`ECDHE-ECDSA-DES-CBC3-SHA`, 370`AES128-SHA256`, 371`AES256-SHA256`, 372`DHE-RSA-AES128-SHA256`, 373`DHE-RSA-AES256-SHA256`, 374`ECDH-RSA-AES128-SHA`, 375`ECDH-RSA-AES256-SHA`, 376`ECDH-ECDSA-AES128-SHA`, 377`ECDH-ECDSA-AES256-SHA`, 378`ECDH-RSA-RC4-SHA`, 379`ECDH-RSA-DES-CBC3-SHA`, 380`ECDH-ECDSA-RC4-SHA`, 381`ECDH-ECDSA-DES-CBC3-SHA`, 382`AES128-GCM-SHA256`, 383`AES256-GCM-SHA384`, 384`DHE-RSA-AES128-GCM-SHA256`, 385`DHE-RSA-AES256-GCM-SHA384`, 386`ECDHE-RSA-AES128-GCM-SHA256`, 387`ECDHE-RSA-AES256-GCM-SHA384`, 388`ECDHE-ECDSA-AES128-GCM-SHA256`, 389`ECDHE-ECDSA-AES256-GCM-SHA384`, 390`ECDH-RSA-AES128-GCM-SHA256`, 391`ECDH-RSA-AES256-GCM-SHA384`, 392`ECDH-ECDSA-AES128-GCM-SHA256`, 393`ECDH-ECDSA-AES256-GCM-SHA384`, 394`CAMELLIA128-SHA`, 395`DHE-RSA-CAMELLIA128-SHA`, 396`CAMELLIA256-SHA`, 397`DHE-RSA-CAMELLIA256-SHA`, 398`CAMELLIA128-SHA256`, 399`DHE-RSA-CAMELLIA128-SHA256`, 400`CAMELLIA256-SHA256`, 401`DHE-RSA-CAMELLIA256-SHA256`, 402`ECDHE-RSA-AES128-SHA256`, 403`ECDHE-ECDSA-AES128-SHA256`, 404`ECDH-RSA-AES128-SHA256`, 405`ECDH-ECDSA-AES128-SHA256`, 406`ECDHE-RSA-AES256-SHA384`, 407`ECDHE-ECDSA-AES256-SHA384`, 408`ECDH-RSA-AES256-SHA384`, 409`ECDH-ECDSA-AES256-SHA384`, 410`ECDHE-RSA-CHACHA20-POLY1305`, 411`ECDHE-ECDSA-CHACHA20-POLY1305`, 412`DHE-RSA-CHACHA20-POLY1305`, 413`ECDHE-RSA-CHACHA20-POLY1305-OLD`, 414`ECDHE-ECDSA-CHACHA20-POLY1305-OLD`, 415`DHE-RSA-CHACHA20-POLY1305-OLD`, 416`ADH-AES128-SHA`, 417`QSH`, 418`RENEGOTIATION-INFO`, 419`IDEA-CBC-SHA`, 420`ECDHE-ECDSA-NULL-SHA`, 421`ECDHE-PSK-NULL-SHA256`, 422`ECDHE-PSK-AES128-CBC-SHA256`, 423`PSK-CHACHA20-POLY1305`, 424`ECDHE-PSK-CHACHA20-POLY1305`, 425`DHE-PSK-CHACHA20-POLY1305`, 426`EDH-RSA-DES-CBC3-SHA`, 427