8

Sorry if I missed with a community to ask.

Recently I stumbled on a fact that the same cipher suite can be designated by two different IDs, and this is not a typo nor single occasion.

For instance: http://www.thesprawl.org/research/tls-and-ssl-cipher-suites

  • TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047 and 0xC001
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048 and 0xC002
  • SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE and 0xFFE1
  • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF and 0xFFE0

And few others more, like TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA.

So, the question is: why two codes are used to designate the same cipher suite? Is it a marker of legacy (broken?) implementation to distinguish? Or just a merge of two standards? Or something else?

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
Yury Schkatula
  • 183
  • 6

1 Answers1

8

These numbers belong to ElasticSearch;

  • TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048
  • SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE
  • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF

and 0x0047 has almost 0% at tlsfingerprint.io

The second numbers in SSL/TLS in this format {0xC0,0x01},{0xC0,0x01},{0xFF,0xE1},{0xFF,0xE0}. The first two in rfc4492. These are deprecated in rfc8422. The last two is for private usage.

The implementations can have different control by the maintainers, therefore it is good to have different numbers. It is bad that your original source doesn't list where they took the numbers.

Note: in TLS 1.3, there are only 5 cipher suites with their id's;

  • {0x13,0x01} - TLS_AES_256_GCM_SHA384
  • {0x13,0x02} - TLS_CHACHA20_POLY1305_SHA256
  • {0x13,0x03} - TLS_AES_128_GCM_SHA256
  • {0x13,0x04} - TLS_AES_128_CCM_8_SHA256
  • {0x13,0x05} - TLS_AES_128_CCM_SHA256
Community
  • 1
kelalaka
  • 49,797
  • 12
  • 123
  • 211