3

May I know which are all forward secrecy ciphers supported in TLSv1.0 protocols?

Gene Gotimer
  • 1,445
  • 11
  • 11
PURE
  • 31
  • 1
  • 4
  • possible duplicate of [ECDH and Forward Secrecy](http://security.stackexchange.com/questions/33233/ecdh-and-forward-secrecy) – RoraΖ Dec 04 '14 at 16:15
  • 1
    @raz Not a duplicate, because the other question is about how forward secrecy works, where as this one presupposes that knowledge and is about implementations in TLS 1.0, which isn't covered at all there. – Xander Dec 04 '14 at 16:36

1 Answers1

4

As listed in the OpenSSL docs, the following TLS 1.0 suites support PFS via Diffie-Hellman Ephemeral:

 TLS_DHE_DSS_WITH_DES_CBC_SHA            DHE-DSS-CBC-SHA
 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
 TLS_DHE_RSA_WITH_DES_CBC_SHA            DHE-RSA-DES-CBC-SHA
 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA

 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  DHE-DSS-CAMELLIA128-SHA
 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  DHE-DSS-CAMELLIA256-SHA
 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  DHE-RSA-CAMELLIA128-SHA
 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  DHE-RSA-CAMELLIA256-SHA

 TLS_DHE_DSS_WITH_SEED_CBC_SHA          DHE-DSS-SEED-SHA
 TLS_DHE_RSA_WITH_SEED_CBC_SHA          DHE-RSA-SEED-SHA

If we include the Elliptic Curve ciphers, the following also implement PFS:

 TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE-RSA-NULL-SHA
 TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE-RSA-RC4-SHA
 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA-DES-CBC3-SHA
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE-RSA-AES128-SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE-RSA-AES256-SHA

 TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE-ECDSA-NULL-SHA
 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE-ECDSA-RC4-SHA
 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA-DES-CBC3-SHA
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE-ECDSA-AES128-SHA
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE-ECDSA-AES256-SHA

If you also want to include TLS 1.2 (note that there are no TLS 1.1 specific suites) then you can expand the list to include:

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384

 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384

 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256
 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • polynomial , how to check which Forward secrecy ciphers enabled for TLSv1.0 in tomcat 6.0.28? – PURE Dec 04 '14 at 15:30
  • @PURE That's a separate question which would be better asked at ServerFault, but you could either use [ssl-cipher-suite-enum](https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/) (free script, but full disclosure: I work there) to test a live instance, or check your config files. I don't know where the TLS config is kept in Tomcat, though. – Polynomial Dec 04 '14 at 15:32
  • 1
    eNULL and "EXPORT" suites use DHE or ECDHE key exchange but don't provide even *current* secrecy much less forward. Also which suites are supported by a Tomcat server depends partly on its configuration, particularly the certificate(s?) it uses and whether it uses APR aka tcnative (which is OpenSSL inside) or the Java SSL/TLS implementation JSSE. DHE-DSS suites require a DSS cert and I don't think any public CA issues those (only some government-internal ones). – dave_thompson_085 Dec 05 '14 at 05:35
  • @dave_thompson_085,I am using JSSE connector (jdk 1.6,tomcat6), May I use ECDHE suites, since it supports forward secrecy. – PURE Dec 05 '14 at 07:33
  • JDK (or JRE) 1.6 JSSE supports ECDHE suites (and other ECC features) only if a crypto (JCE) provider for ECC primitives is available, which it is not by default. Your options are to obtain and install a suitable ECC provider -- I like www.bouncycastle.org -- or to upgrade to Java 7 or 8 which include an ECC provider -- and are in support which 1.6 is not. For your connections to *use* these suites also requires the browsers or other clients that connect to you support and prefer or require ECDHE, and if they want only one of ECDHE-RSA or ECDHE-ECDSA (IME rare) your server-key&cert must match. – dave_thompson_085 Dec 05 '14 at 23:07