TLS1.2/TLS1.3允许使用的密码套件白名单
IANA(互联网号码分配中心)负责对所有的TLS加密套件分配编号,下表中列出目前所有符合华为公司规范要求的安全IANA加密套件(IANA推荐的加密套件并不是各个标准组织全部接纳的,所以华为做了筛选,筛选后的套件是满足各个组织要求的),安全程度分为高和中两个级别,高级别的判断标准是支持完全前向保密及AES对称加密算法认证加密(GCM/CCM/CHACHA20-POLY1305)模式(未来这个标准可能会随TLS协议业界实践的安全程度的变化而变化),其余符合华为公司规范要求的加密套件为中级别。
TLS1.2允许使用的密码套件白名单
IANA编码 |
IANA套件名 |
安全程度 |
---|---|---|
0x00,0x9E |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
HIGH |
0x00,0x9F |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
HIGH |
0x00,0xA2 |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
HIGH |
0x00,0xA3 |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
HIGH |
0x00,0xA9 |
TLS_PSK_WITH_AES_256_GCM_SHA384 |
MEDIUM |
0x00,0xAA |
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 |
HIGH |
0x00,0xAB |
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 |
HIGH |
0xCC,0xAD |
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |
HIGH |
0xC0,0x2B |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
HIGH |
0xC0,0x2C |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
HIGH |
0xC0,0x2F |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
HIGH |
0xC0,0x30 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
HIGH |
0xCC,0xA8 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
HIGH |
0xCC,0xAC |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |
HIGH |
0xD0,0x01 |
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 |
HIGH |
0xD0,0x02 |
TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 |
HIGH |
0xD0,0x05 |
TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 |
HIGH |
0xC0,0x9E |
TLS_DHE_RSA_WITH_AES_128_CCM |
HIGH |
0xC0,0x9F |
TLS_DHE_RSA_WITH_AES_256_CCM |
HIGH |
0xCC,0xAA |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
HIGH |
0xC0,0xA5 |
TLS_PSK_WITH_AES_256_CCM |
MEDIUM |
0xC0,0xA6 |
TLS_DHE_PSK_WITH_AES_128_CCM |
HIGH |
0xC0,0xA7 |
TLS_DHE_PSK_WITH_AES_256_CCM |
HIGH |
0xC0,0xAC |
TLS_ECDHE_ECDSA_WITH_AES_128_CCM |
HIGH |
0xC0,0xAD |
TLS_ECDHE_ECDSA_WITH_AES_256_CCM |
HIGH |
0xCC,0xA9 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
HIGH |
TLS1.3允许使用的密码套件白名单
IANA编码 |
IANA套件名 |
安全程度 |
---|---|---|
0x13,0x01 |
TLS_AES_128_GCM_SHA256 |
HIGH |
0x13,0x02 |
TLS_AES_256_GCM_SHA384 |
HIGH |
0x13,0x03 |
TLS_CHACHA20_POLY1305_SHA256 |
HIGH |
0x13,0x04 |
TLS_AES_128_CCM_SHA256 |
HIGH |
参照RFC8998,TLS1.3新增国密算法套,这两个算法套不能用于TLS其他版本。
IANA编码 |
IANA套件名 |
---|---|
0x00,0xC6 |
TLS_SM4_GCM_SM3 |
0x00,0xC7 |
TLS_SM4_CCM_SM3 |