TLS1.2/TLS1.3允许使用的密码套件白名单
IANA(互联网号码分配中心)负责对所有的TLS加密套件分配编号,下表中列出目前所有符合华为公司规范要求的安全IANA加密套件(IANA推荐的加密套件并不是各个标准组织全部接纳的,所以华为做了筛选,筛选后的套件是满足各个组织要求的),安全程度分为高和中两个级别,高级别的判断标准是支持完全前向保密及AES对称加密算法认证加密(GCM/CCM/CHACHA20-POLY1305)模式(未来这个标准可能会随TLS协议业界实践的安全程度的变化而变化),其余符合华为公司规范要求的加密套件为中级别。
TLS1.2允许使用的密码套件白名单
IANA编码 | IANA套件名 | 安全程度 |
|---|---|---|
0x00,0x9E | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
0x00,0x9F | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
0x00,0xA2 | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | HIGH |
0x00,0xA3 | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | HIGH |
0x00,0xA9 | TLS_PSK_WITH_AES_256_GCM_SHA384 | MEDIUM |
0x00,0xAA | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | HIGH |
0x00,0xAB | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | HIGH |
0xCC,0xAD | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | HIGH |
0xC0,0x2B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | HIGH |
0xC0,0x2C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | HIGH |
0xC0,0x2F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | HIGH |
0xC0,0x30 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | HIGH |
0xCC,0xA8 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | HIGH |
0xCC,0xAC | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | HIGH |
0xD0,0x01 | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | HIGH |
0xD0,0x02 | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | HIGH |
0xD0,0x05 | TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 | HIGH |
0xC0,0x9E | TLS_DHE_RSA_WITH_AES_128_CCM | HIGH |
0xC0,0x9F | TLS_DHE_RSA_WITH_AES_256_CCM | HIGH |
0xCC,0xAA | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | HIGH |
0xC0,0xA5 | TLS_PSK_WITH_AES_256_CCM | MEDIUM |
0xC0,0xA6 | TLS_DHE_PSK_WITH_AES_128_CCM | HIGH |
0xC0,0xA7 | TLS_DHE_PSK_WITH_AES_256_CCM | HIGH |
0xC0,0xAC | TLS_ECDHE_ECDSA_WITH_AES_128_CCM | HIGH |
0xC0,0xAD | TLS_ECDHE_ECDSA_WITH_AES_256_CCM | HIGH |
0xCC,0xA9 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | HIGH |
TLS1.3允许使用的密码套件白名单
IANA编码 | IANA套件名 | 安全程度 |
|---|---|---|
0x13,0x01 | TLS_AES_128_GCM_SHA256 | HIGH |
0x13,0x02 | TLS_AES_256_GCM_SHA384 | HIGH |
0x13,0x03 | TLS_CHACHA20_POLY1305_SHA256 | HIGH |
0x13,0x04 | TLS_AES_128_CCM_SHA256 | HIGH |
参照RFC8998,TLS1.3新增国密算法套,这两个算法套不能用于TLS其他版本。
IANA编码 | IANA套件名 |
|---|---|
0x00,0xC6 | TLS_SM4_GCM_SM3 |
0x00,0xC7 | TLS_SM4_CCM_SM3 |
