1# Ciphers
2
3With curl's options `CURLOPT_SSL_CIPHER_LIST` and `--ciphers` users can
4control which ciphers to consider when negotiating TLS connections.
5
6The names of the known ciphers differ depending on which TLS backend that
7libcurl was built to use. This is an attempt to list known cipher names.
8
9## OpenSSL
10
11(based on [OpenSSL docs](https://www.openssl.org/docs/man1.1.0/apps/ciphers.html))
12
13### SSL3 cipher suites
14
15`NULL-MD5`
16`NULL-SHA`
17`RC4-MD5`
18`RC4-SHA`
19`IDEA-CBC-SHA`
20`DES-CBC3-SHA`
21`DH-DSS-DES-CBC3-SHA`
22`DH-RSA-DES-CBC3-SHA`
23`DHE-DSS-DES-CBC3-SHA`
24`DHE-RSA-DES-CBC3-SHA`
25`ADH-RC4-MD5`
26`ADH-DES-CBC3-SHA`
27
28### TLS v1.0 cipher suites
29
30`NULL-MD5`
31`NULL-SHA`
32`RC4-MD5`
33`RC4-SHA`
34`IDEA-CBC-SHA`
35`DES-CBC3-SHA`
36`DHE-DSS-DES-CBC3-SHA`
37`DHE-RSA-DES-CBC3-SHA`
38`ADH-RC4-MD5`
39`ADH-DES-CBC3-SHA`
40
41### AES ciphersuites from RFC3268, extending TLS v1.0
42
43`AES128-SHA`
44`AES256-SHA`
45`DH-DSS-AES128-SHA`
46`DH-DSS-AES256-SHA`
47`DH-RSA-AES128-SHA`
48`DH-RSA-AES256-SHA`
49`DHE-DSS-AES128-SHA`
50`DHE-DSS-AES256-SHA`
51`DHE-RSA-AES128-SHA`
52`DHE-RSA-AES256-SHA`
53`ADH-AES128-SHA`
54`ADH-AES256-SHA`
55
56### SEED ciphersuites from RFC4162, extending TLS v1.0
57
58`SEED-SHA`
59`DH-DSS-SEED-SHA`
60`DH-RSA-SEED-SHA`
61`DHE-DSS-SEED-SHA`
62`DHE-RSA-SEED-SHA`
63`ADH-SEED-SHA`
64
65### GOST ciphersuites, extending TLS v1.0
66
67`GOST94-GOST89-GOST89`
68`GOST2001-GOST89-GOST89`
69`GOST94-NULL-GOST94`
70`GOST2001-NULL-GOST94`
71
72### Elliptic curve cipher suites
73
74`ECDHE-RSA-NULL-SHA`
75`ECDHE-RSA-RC4-SHA`
76`ECDHE-RSA-DES-CBC3-SHA`
77`ECDHE-RSA-AES128-SHA`
78`ECDHE-RSA-AES256-SHA`
79`ECDHE-ECDSA-NULL-SHA`
80`ECDHE-ECDSA-RC4-SHA`
81`ECDHE-ECDSA-DES-CBC3-SHA`
82`ECDHE-ECDSA-AES128-SHA`
83`ECDHE-ECDSA-AES256-SHA`
84`AECDH-NULL-SHA`
85`AECDH-RC4-SHA`
86`AECDH-DES-CBC3-SHA`
87`AECDH-AES128-SHA`
88`AECDH-AES256-SHA`
89
90### TLS v1.2 cipher suites
91
92`NULL-SHA256`
93`AES128-SHA256`
94`AES256-SHA256`
95`AES128-GCM-SHA256`
96`AES256-GCM-SHA384`
97`DH-RSA-AES128-SHA256`
98`DH-RSA-AES256-SHA256`
99`DH-RSA-AES128-GCM-SHA256`
100`DH-RSA-AES256-GCM-SHA384`
101`DH-DSS-AES128-SHA256`
102`DH-DSS-AES256-SHA256`
103`DH-DSS-AES128-GCM-SHA256`
104`DH-DSS-AES256-GCM-SHA384`
105`DHE-RSA-AES128-SHA256`
106`DHE-RSA-AES256-SHA256`
107`DHE-RSA-AES128-GCM-SHA256`
108`DHE-RSA-AES256-GCM-SHA384`
109`DHE-DSS-AES128-SHA256`
110`DHE-DSS-AES256-SHA256`
111`DHE-DSS-AES128-GCM-SHA256`
112`DHE-DSS-AES256-GCM-SHA384`
113`ECDHE-RSA-AES128-SHA256`
114`ECDHE-RSA-AES256-SHA384`
115`ECDHE-RSA-AES128-GCM-SHA256`
116`ECDHE-RSA-AES256-GCM-SHA384`
117`ECDHE-ECDSA-AES128-SHA256`
118`ECDHE-ECDSA-AES256-SHA384`
119`ECDHE-ECDSA-AES128-GCM-SHA256`
120`ECDHE-ECDSA-AES256-GCM-SHA384`
121`ADH-AES128-SHA256`
122`ADH-AES256-SHA256`
123`ADH-AES128-GCM-SHA256`
124`ADH-AES256-GCM-SHA384`
125`AES128-CCM`
126`AES256-CCM`
127`DHE-RSA-AES128-CCM`
128`DHE-RSA-AES256-CCM`
129`AES128-CCM8`
130`AES256-CCM8`
131`DHE-RSA-AES128-CCM8`
132`DHE-RSA-AES256-CCM8`
133`ECDHE-ECDSA-AES128-CCM`
134`ECDHE-ECDSA-AES256-CCM`
135`ECDHE-ECDSA-AES128-CCM8`
136`ECDHE-ECDSA-AES256-CCM8`
137
138### Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
139
140`ECDHE-ECDSA-CAMELLIA128-SHA256`
141`ECDHE-ECDSA-CAMELLIA256-SHA384`
142`ECDHE-RSA-CAMELLIA128-SHA256`
143`ECDHE-RSA-CAMELLIA256-SHA384`
144
145## NSS
146
147### Totally insecure
148
149`rc4`
150`rc4-md5`
151`rc4export`
152`rc2`
153`rc2export`
154`des`
155`desede3`
156
157###  SSL3/TLS cipher suites
158
159`rsa_rc4_128_md5`
160`rsa_rc4_128_sha`
161`rsa_3des_sha`
162`rsa_des_sha`
163`rsa_rc4_40_md5`
164`rsa_rc2_40_md5`
165`rsa_null_md5`
166`rsa_null_sha`
167`fips_3des_sha`
168`fips_des_sha`
169`fortezza`
170`fortezza_rc4_128_sha`
171`fortezza_null`
172
173### TLS 1.0 Exportable 56-bit Cipher Suites
174
175`rsa_des_56_sha`
176`rsa_rc4_56_sha`
177
178### AES ciphers
179
180`dhe_dss_aes_128_cbc_sha`
181`dhe_dss_aes_256_cbc_sha`
182`dhe_rsa_aes_128_cbc_sha`
183`dhe_rsa_aes_256_cbc_sha`
184`rsa_aes_128_sha`
185`rsa_aes_256_sha`
186
187### ECC ciphers
188
189`ecdh_ecdsa_null_sha`
190`ecdh_ecdsa_rc4_128_sha`
191`ecdh_ecdsa_3des_sha`
192`ecdh_ecdsa_aes_128_sha`
193`ecdh_ecdsa_aes_256_sha`
194`ecdhe_ecdsa_null_sha`
195`ecdhe_ecdsa_rc4_128_sha`
196`ecdhe_ecdsa_3des_sha`
197`ecdhe_ecdsa_aes_128_sha`
198`ecdhe_ecdsa_aes_256_sha`
199`ecdh_rsa_null_sha`
200`ecdh_rsa_128_sha`
201`ecdh_rsa_3des_sha`
202`ecdh_rsa_aes_128_sha`
203`ecdh_rsa_aes_256_sha`
204`ecdhe_rsa_null`
205`ecdhe_rsa_rc4_128_sha`
206`ecdhe_rsa_3des_sha`
207`ecdhe_rsa_aes_128_sha`
208`ecdhe_rsa_aes_256_sha`
209`ecdh_anon_null_sha`
210`ecdh_anon_rc4_128sha`
211`ecdh_anon_3des_sha`
212`ecdh_anon_aes_128_sha`
213`ecdh_anon_aes_256_sha`
214
215### HMAC-SHA256 cipher suites
216
217`rsa_null_sha_256`
218`rsa_aes_128_cbc_sha_256`
219`rsa_aes_256_cbc_sha_256`
220`dhe_rsa_aes_128_cbc_sha_256`
221`dhe_rsa_aes_256_cbc_sha_256`
222`ecdhe_ecdsa_aes_128_cbc_sha_256`
223`ecdhe_rsa_aes_128_cbc_sha_256`
224
225### AES GCM cipher suites in RFC 5288 and RFC 5289
226
227`rsa_aes_128_gcm_sha_256`
228`dhe_rsa_aes_128_gcm_sha_256`
229`dhe_dss_aes_128_gcm_sha_256`
230`ecdhe_ecdsa_aes_128_gcm_sha_256`
231`ecdh_ecdsa_aes_128_gcm_sha_256`
232`ecdhe_rsa_aes_128_gcm_sha_256`
233`ecdh_rsa_aes_128_gcm_sha_256`
234
235### cipher suites using SHA384
236
237`rsa_aes_256_gcm_sha_384`
238`dhe_rsa_aes_256_gcm_sha_384`
239`dhe_dss_aes_256_gcm_sha_384`
240`ecdhe_ecdsa_aes_256_sha_384`
241`ecdhe_rsa_aes_256_sha_384`
242`ecdhe_ecdsa_aes_256_gcm_sha_384`
243`ecdhe_rsa_aes_256_gcm_sha_384`
244
245### chacha20-poly1305 cipher suites
246
247`ecdhe_rsa_chacha20_poly1305_sha_256`
248`ecdhe_ecdsa_chacha20_poly1305_sha_256`
249`dhe_rsa_chacha20_poly1305_sha_256`
250
251## GSKit
252
253Ciphers are internally defined as numeric codes (https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm),
254but libcurl maps them to the following case-insensitive names.
255
256### SSL2 cipher suites (insecure: disabled by default)
257
258`rc2-md5`
259`rc4-md5`
260`exp-rc2-md5`
261`exp-rc4-md5`
262`des-cbc-md5`
263`des-cbc3-md5`
264
265### SSL3 cipher suites
266
267`null-md5`
268`null-sha`
269`rc4-md5`
270`rc4-sha`
271`exp-rc2-cbc-md5`
272`exp-rc4-md5`
273`exp-des-cbc-sha`
274`des-cbc3-sha`
275
276### TLS v1.0 cipher suites
277
278`null-md5`
279`null-sha`
280`rc4-md5`
281`rc4-sha`
282`exp-rc2-cbc-md5`
283`exp-rc4-md5`
284`exp-des-cbc-sha`
285`des-cbc3-sha`
286`aes128-sha`
287`aes256-sha`
288
289### TLS v1.1 cipher suites
290
291`null-md5`
292`null-sha`
293`rc4-md5`
294`rc4-sha`
295`exp-des-cbc-sha`
296`des-cbc3-sha`
297`aes128-sha`
298`aes256-sha`
299
300### TLS v1.2 cipher suites
301
302`null-md5`
303`null-sha`
304`null-sha256`
305`rc4-md5`
306`rc4-sha`
307`des-cbc3-sha`
308`aes128-sha`
309`aes256-sha`
310`aes128-sha256`
311`aes256-sha256`
312`aes128-gcm-sha256`
313`aes256-gcm-sha384`
314
315## WolfSSL
316
317`RC4-SHA`,
318`RC4-MD5`,
319`DES-CBC3-SHA`,
320`AES128-SHA`,
321`AES256-SHA`,
322`NULL-SHA`,
323`NULL-SHA256`,
324`DHE-RSA-AES128-SHA`,
325`DHE-RSA-AES256-SHA`,
326`DHE-PSK-AES256-GCM-SHA384`,
327`DHE-PSK-AES128-GCM-SHA256`,
328`PSK-AES256-GCM-SHA384`,
329`PSK-AES128-GCM-SHA256`,
330`DHE-PSK-AES256-CBC-SHA384`,
331`DHE-PSK-AES128-CBC-SHA256`,
332`PSK-AES256-CBC-SHA384`,
333`PSK-AES128-CBC-SHA256`,
334`PSK-AES128-CBC-SHA`,
335`PSK-AES256-CBC-SHA`,
336`DHE-PSK-AES128-CCM`,
337`DHE-PSK-AES256-CCM`,
338`PSK-AES128-CCM`,
339`PSK-AES256-CCM`,
340`PSK-AES128-CCM-8`,
341`PSK-AES256-CCM-8`,
342`DHE-PSK-NULL-SHA384`,
343`DHE-PSK-NULL-SHA256`,
344`PSK-NULL-SHA384`,
345`PSK-NULL-SHA256`,
346`PSK-NULL-SHA`,
347`HC128-MD5`,
348`HC128-SHA`,
349`HC128-B2B256`,
350`AES128-B2B256`,
351`AES256-B2B256`,
352`RABBIT-SHA`,
353`NTRU-RC4-SHA`,
354`NTRU-DES-CBC3-SHA`,
355`NTRU-AES128-SHA`,
356`NTRU-AES256-SHA`,
357`AES128-CCM-8`,
358`AES256-CCM-8`,
359`ECDHE-ECDSA-AES128-CCM`,
360`ECDHE-ECDSA-AES128-CCM-8`,
361`ECDHE-ECDSA-AES256-CCM-8`,
362`ECDHE-RSA-AES128-SHA`,
363`ECDHE-RSA-AES256-SHA`,
364`ECDHE-ECDSA-AES128-SHA`,
365`ECDHE-ECDSA-AES256-SHA`,
366`ECDHE-RSA-RC4-SHA`,
367`ECDHE-RSA-DES-CBC3-SHA`,
368`ECDHE-ECDSA-RC4-SHA`,
369`ECDHE-ECDSA-DES-CBC3-SHA`,
370`AES128-SHA256`,
371`AES256-SHA256`,
372`DHE-RSA-AES128-SHA256`,
373`DHE-RSA-AES256-SHA256`,
374`ECDH-RSA-AES128-SHA`,
375`ECDH-RSA-AES256-SHA`,
376`ECDH-ECDSA-AES128-SHA`,
377`ECDH-ECDSA-AES256-SHA`,
378`ECDH-RSA-RC4-SHA`,
379`ECDH-RSA-DES-CBC3-SHA`,
380`ECDH-ECDSA-RC4-SHA`,
381`ECDH-ECDSA-DES-CBC3-SHA`,
382`AES128-GCM-SHA256`,
383`AES256-GCM-SHA384`,
384`DHE-RSA-AES128-GCM-SHA256`,
385`DHE-RSA-AES256-GCM-SHA384`,
386`ECDHE-RSA-AES128-GCM-SHA256`,
387`ECDHE-RSA-AES256-GCM-SHA384`,
388`ECDHE-ECDSA-AES128-GCM-SHA256`,
389`ECDHE-ECDSA-AES256-GCM-SHA384`,
390`ECDH-RSA-AES128-GCM-SHA256`,
391`ECDH-RSA-AES256-GCM-SHA384`,
392`ECDH-ECDSA-AES128-GCM-SHA256`,
393`ECDH-ECDSA-AES256-GCM-SHA384`,
394`CAMELLIA128-SHA`,
395`DHE-RSA-CAMELLIA128-SHA`,
396`CAMELLIA256-SHA`,
397`DHE-RSA-CAMELLIA256-SHA`,
398`CAMELLIA128-SHA256`,
399`DHE-RSA-CAMELLIA128-SHA256`,
400`CAMELLIA256-SHA256`,
401`DHE-RSA-CAMELLIA256-SHA256`,
402`ECDHE-RSA-AES128-SHA256`,
403`ECDHE-ECDSA-AES128-SHA256`,
404`ECDH-RSA-AES128-SHA256`,
405`ECDH-ECDSA-AES128-SHA256`,
406`ECDHE-RSA-AES256-SHA384`,
407`ECDHE-ECDSA-AES256-SHA384`,
408`ECDH-RSA-AES256-SHA384`,
409`ECDH-ECDSA-AES256-SHA384`,
410`ECDHE-RSA-CHACHA20-POLY1305`,
411`ECDHE-ECDSA-CHACHA20-POLY1305`,
412`DHE-RSA-CHACHA20-POLY1305`,
413`ECDHE-RSA-CHACHA20-POLY1305-OLD`,
414`ECDHE-ECDSA-CHACHA20-POLY1305-OLD`,
415`DHE-RSA-CHACHA20-POLY1305-OLD`,
416`ADH-AES128-SHA`,
417`QSH`,
418`RENEGOTIATION-INFO`,
419`IDEA-CBC-SHA`,
420`ECDHE-ECDSA-NULL-SHA`,
421`ECDHE-PSK-NULL-SHA256`,
422`ECDHE-PSK-AES128-CBC-SHA256`,
423`PSK-CHACHA20-POLY1305`,
424`ECDHE-PSK-CHACHA20-POLY1305`,
425`DHE-PSK-CHACHA20-POLY1305`,
426`EDH-RSA-DES-CBC3-SHA`,
427