TLS Cipher Suite Naming Conventions
20 Jul 2020 · Comments: · Tags: TLS, SSL, IANA, OpenSSL, GnuTLS, Bash, PowerShell, API- Summary
- Converting Between OpenSSL and IANA With the OpenSSL CLI Tool in Bash
- Converting Between IANA, OpenSSL and GnuTLS With the ciphersuite.info API in PowerShell
Summary
The IANA
(Internet Assigned Numbers Authority) is responsible for maintaining the
official registry
of TLS cipher suites. If a cipher
suite is approved by experts at the IETF (Internet Engineering Task Force) then
the IANA add it to the registry where it’s assigned a unique two byte hexadecimal
value and a human readable name (recorded in the Description field).
In addition to the name that’s assigned by the IANA, there are at least two other naming conventions that I’m aware of, OpenSSL and GnuTLS.
To illustrate the differences, this is how the cipher suite represented by hex
value 0x00,0x3D is named according to these three conventions:
- IANA:
TLS_RSA_WITH_AES_256_CBC_SHA256 - OpenSSL:
AES256-SHA256 - GnuTLS:
TLS_RSA_AES_256_CBC_SHA256
I’ve recently been working on an Apache web server and wanted to compare the list
of enabled cipher suites in the Let’s Encrypt config
file (/etc/letsencrypt/options-ssl-apache.conf) against a Qualys SSL Labs
report. The Let’s Encrypt config file uses the OpenSSL naming convention whereas
Qualys SSL Labs uses IANA. Consequently I needed a means of converting between
the two naming conventions. That’s what inspired me to write this blog post in
which I’ll cover two techniques for converting between different naming
conventions.
Converting Between OpenSSL and IANA With the OpenSSL CLI Tool in Bash
The OpenSSL CLI tool can be used to convert an OpenSSL name to IANA and vice versa.
The following example requires a minimum of OpenSSL version 1.1.1. It converts
the cipher suite represented by hex value 0x00,0x3D from its OpenSSL name to
its IANA name and vice versa:
thecliguy@sandbox:~$ # OpenSSL to IANA thecliguy@sandbox:~$ openssl ciphers -stdname | grep "\sAES256-SHA256\s" | cut -d '-' -f1 TLS_RSA_WITH_AES_256_CBC_SHA256 thecliguy@sandbox:~$ thecliguy@sandbox:~$ # IANA to OpenSSL thecliguy@sandbox:~$ openssl ciphers -stdname | grep "^TLS_RSA_WITH_AES_256_CBC_SHA256\s" | cut -d ' ' -f3 AES256-SHA256
If you have an older version of OpenSSL, you can use this Bash script I wrote to convert from OpenSSL to IANA (it cannot convert from IANA to OpenSSL). See usage syntax below:
# Download the IANA cipher suite registry as a CSV:
convert_ossl_cipher_suite_name_to_iana.sh -d
# Convert an OpenSSL name to IANA format:
convert_ossl_cipher_suite_name_to_iana.sh -o <openssl_cipher_suite_name> -f <registry_file>NB: If you find that OpenSSL is failing to return a result for a specified cipher suite name, it could be because your version of OpenSSL predates the introduction of the cipher suite, or support for the cipher suite has been removed from your version OpenSSL because it is considered obsolete.
Converting Between IANA, OpenSSL and GnuTLS With the ciphersuite.info API in PowerShell
The ciphersuite.info site provides an extensive catalogue of cipher suites with details such as hexadecimal value, IANA name, OpenSSL name and GnuTLS name. The API provides a convenient way to convert cipher suite names from one naming convention to another.
According to the FAQ, the data is sourced
from the IANA, the OpenSSL and GnuTLS library and is updated regularly. I
would have liked the opportunity to learn a bit more about how the catalogue is
compiled from these different data sources but the project’s source code doesn’t
appear to be published anywhere. The API contains a link to a GIT repository
but the URL doesn’t work. I’ve written to the project’s authors to enquire about
this and will update the post if I receive a reply.
Below are some examples of consuming the API in PowerShell:
# Call the API to obtain a list of all the available cipher suites.
$CipherSuites = (Invoke-RestMethod -Uri https://ciphersuite.info/api/cs).ciphersuites
# Make some refinements to the list of cipher suites returned.
$CipherSuitesRefined = $CipherSuites.ForEach({
$_.psobject.properties |
Select-Object @{Name = 'HexValue'; Expression = {"$($_.value.hex_byte_1),$($_.value.hex_byte_2)"}},
@{Name = 'IANA'; Expression = {$_.name}},
@{Name = 'GnuTLS'; Expression = {$_.value.gnutls_name}},
@{Name = 'OpenSSL'; Expression = {$_.value.openssl_name}},
@{Name = 'Security'; Expression = {$_.value.Security}},
@{Name = 'TlsVersion'; Expression = {$_.value.tls_version}}
})
# Return the cipher suite represented by the hexadecimal value '0x00,0x3D'.
$CipherSuitesRefined | Where-Object {$_.HexValue -eq '0x00,0x3D'}
HexValue : 0x00,0x3D
IANA : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS : TLS_RSA_AES_256_CBC_SHA256
OpenSSL : AES256-SHA256
Security : secure
TlsVersion : TLS1.2
# Return the cipher suite with IANA name 'TLS_RSA_WITH_AES_256_CBC_SHA256'.
$CipherSuitesRefined | Where-Object {$_.IANA -eq 'TLS_RSA_WITH_AES_256_CBC_SHA256'}
HexValue : 0x00,0x3D
IANA : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS : TLS_RSA_AES_256_CBC_SHA256
OpenSSL : AES256-SHA256
Security : secure
TlsVersion : TLS1.2
# Return the cipher suite with OpenSSL name 'AES256-SHA256'.
$CipherSuitesRefined | Where-Object {$_.OpenSSL -eq 'AES256-SHA256'}
HexValue : 0x00,0x3D
IANA : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS : TLS_RSA_AES_256_CBC_SHA256
OpenSSL : AES256-SHA256
Security : secure
TlsVersion : TLS1.2
# Return the cipher suite with GnuTLS name 'TLS_RSA_AES_256_CBC_SHA256'.
$CipherSuitesRefined | Where-Object {$_.GnuTLS -eq 'TLS_RSA_AES_256_CBC_SHA256'}
HexValue : 0x00,0x3D
IANA : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS : TLS_RSA_AES_256_CBC_SHA256
OpenSSL : AES256-SHA256
Security : secure
TlsVersion : TLS1.2
Comments