TLS Cipher Suite Naming Conventions

Summary

The IANA (Internet Assigned Numbers Authority) is responsible for maintaining the official registry of TLS cipher suites. If a cipher suite is approved by experts at the IETF (Internet Engineering Task Force) then the IANA add it to the registry where it’s assigned a unique two byte hexadecimal value and a human readable name (recorded in the Description field).

In addition to the name that’s assigned by the IANA, there are at least two other naming conventions that I’m aware of, OpenSSL and GnuTLS.

To illustrate the differences, this is how the cipher suite represented by hex value 0x00,0x3D is named according to these three conventions:

I’ve recently been working on an Apache web server and wanted to compare the list of enabled cipher suites in the Let’s Encrypt config file (/etc/letsencrypt/options-ssl-apache.conf) against a Qualys SSL Labs report. The Let’s Encrypt config file uses the OpenSSL naming convention whereas Qualys SSL Labs uses IANA. Consequently I needed a means of converting between the two naming conventions. That’s what inspired me to write this blog post in which I’ll cover two techniques for converting between different naming conventions.

Converting Between OpenSSL and IANA With the OpenSSL CLI Tool in Bash

The OpenSSL CLI tool can be used to convert an OpenSSL name to IANA and vice versa.

The following example requires a minimum of OpenSSL version 1.1.1. It converts the cipher suite represented by hex value 0x00,0x3D from its OpenSSL name to its IANA name and vice versa:

thecliguy@sandbox:~$ # OpenSSL to IANA
thecliguy@sandbox:~$ openssl ciphers -stdname | grep "\sAES256-SHA256\s" | cut -d '-' -f1
TLS_RSA_WITH_AES_256_CBC_SHA256
thecliguy@sandbox:~$
thecliguy@sandbox:~$ # IANA to OpenSSL
thecliguy@sandbox:~$ openssl ciphers -stdname | grep "^TLS_RSA_WITH_AES_256_CBC_SHA256\s" | cut -d ' ' -f3
AES256-SHA256

If you have an older version of OpenSSL, you can use this Bash script I wrote to convert from OpenSSL to IANA (it cannot convert from IANA to OpenSSL). See usage syntax below:

# Download the IANA cipher suite registry as a CSV:
convert_ossl_cipher_suite_name_to_iana.sh -d

# Convert an OpenSSL name to IANA format:
convert_ossl_cipher_suite_name_to_iana.sh -o <openssl_cipher_suite_name> -f <registry_file>

NB: If you find that OpenSSL is failing to return a result for a specified cipher suite name, it could be because your version of OpenSSL predates the introduction of the cipher suite, or support for the cipher suite has been removed from your version OpenSSL because it is considered obsolete.

Converting Between IANA, OpenSSL and GnuTLS With the ciphersuite.info API in PowerShell

The ciphersuite.info site provides an extensive catalogue of cipher suites with details such as hexadecimal value, IANA name, OpenSSL name and GnuTLS name. The API provides a convenient way to convert cipher suite names from one naming convention to another.

According to the FAQ, the data is sourced from the IANA, the OpenSSL and GnuTLS library and is updated regularly. I would have liked the opportunity to learn a bit more about how the catalogue is compiled from these different data sources but the project’s source code doesn’t appear to be published anywhere. The API contains a link to a GIT repository but the URL doesn’t work. I’ve written to the project’s authors to enquire about this and will update the post if I receive a reply.

Below are some examples of consuming the API in PowerShell:

# Call the API to obtain a list of all the available cipher suites.
$CipherSuites = (Invoke-RestMethod -Uri https://ciphersuite.info/api/cs).ciphersuites

# Make some refinements to the list of cipher suites returned.
$CipherSuitesRefined = $CipherSuites.ForEach({
    $_.psobject.properties | 
        Select-Object @{Name = 'HexValue';   Expression = {"$($_.value.hex_byte_1),$($_.value.hex_byte_2)"}}, 
                      @{Name = 'IANA';       Expression = {$_.name}}, 
                      @{Name = 'GnuTLS';     Expression = {$_.value.gnutls_name}}, 
                      @{Name = 'OpenSSL';    Expression = {$_.value.openssl_name}},
                      @{Name = 'Security';   Expression = {$_.value.Security}},
                      @{Name = 'TlsVersion'; Expression = {$_.value.tls_version}}
})

# Return the cipher suite represented by the hexadecimal value '0x00,0x3D'.
$CipherSuitesRefined | Where-Object {$_.HexValue -eq '0x00,0x3D'}

HexValue   : 0x00,0x3D
IANA       : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS     : TLS_RSA_AES_256_CBC_SHA256
OpenSSL    : AES256-SHA256
Security   : secure
TlsVersion : TLS1.2

# Return the cipher suite with IANA name 'TLS_RSA_WITH_AES_256_CBC_SHA256'.
$CipherSuitesRefined | Where-Object {$_.IANA -eq 'TLS_RSA_WITH_AES_256_CBC_SHA256'}

HexValue   : 0x00,0x3D
IANA       : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS     : TLS_RSA_AES_256_CBC_SHA256
OpenSSL    : AES256-SHA256
Security   : secure
TlsVersion : TLS1.2

# Return the cipher suite with OpenSSL name 'AES256-SHA256'.
$CipherSuitesRefined | Where-Object {$_.OpenSSL -eq 'AES256-SHA256'}

HexValue   : 0x00,0x3D
IANA       : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS     : TLS_RSA_AES_256_CBC_SHA256
OpenSSL    : AES256-SHA256
Security   : secure
TlsVersion : TLS1.2

# Return the cipher suite with GnuTLS name 'TLS_RSA_AES_256_CBC_SHA256'.
$CipherSuitesRefined | Where-Object {$_.GnuTLS -eq 'TLS_RSA_AES_256_CBC_SHA256'}

HexValue   : 0x00,0x3D
IANA       : TLS_RSA_WITH_AES_256_CBC_SHA256
GnuTLS     : TLS_RSA_AES_256_CBC_SHA256
OpenSSL    : AES256-SHA256
Security   : secure
TlsVersion : TLS1.2

0 Comments

Post a comment

All comments are held for moderation.
Your email address will not be published. Required fields are marked *

Identification
Email
Name *
Website

Copyright © 2018 - 2020 thecliguy.co.uk
For details, see Licences and Copyright