1: # Ciphers
2:
3: With curl's options
4: [`CURLOPT_SSL_CIPHER_LIST`](https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html)
5: and
6: [`--ciphers`](https://curl.haxx.se/docs/manpage.html#--ciphers)
7: users can control which ciphers to consider when negotiating TLS connections.
8:
9: TLS 1.3 ciphers are supported since curl 7.61 for OpenSSL 1.1.1+ with options
10: [`CURLOPT_TLS13_CIPHERS`](https://curl.haxx.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html)
11: and
12: [`--tls13-ciphers`](https://curl.haxx.se/docs/manpage.html#--tls13-ciphers)
13: . If you are using a different SSL backend you can try setting TLS 1.3 cipher
14: suites by using the respective regular cipher option.
15:
16: The names of the known ciphers differ depending on which TLS backend that
17: libcurl was built to use. This is an attempt to list known cipher names.
18:
19: ## OpenSSL
20:
21: (based on [OpenSSL docs](https://www.openssl.org/docs/man1.1.0/apps/ciphers.html))
22:
23: When specifying multiple cipher names, separate them with colon (`:`).
24:
25: ### SSL3 cipher suites
26:
27: `NULL-MD5`
28: `NULL-SHA`
29: `RC4-MD5`
30: `RC4-SHA`
31: `IDEA-CBC-SHA`
32: `DES-CBC3-SHA`
33: `DH-DSS-DES-CBC3-SHA`
34: `DH-RSA-DES-CBC3-SHA`
35: `DHE-DSS-DES-CBC3-SHA`
36: `DHE-RSA-DES-CBC3-SHA`
37: `ADH-RC4-MD5`
38: `ADH-DES-CBC3-SHA`
39:
40: ### TLS v1.0 cipher suites
41:
42: `NULL-MD5`
43: `NULL-SHA`
44: `RC4-MD5`
45: `RC4-SHA`
46: `IDEA-CBC-SHA`
47: `DES-CBC3-SHA`
48: `DHE-DSS-DES-CBC3-SHA`
49: `DHE-RSA-DES-CBC3-SHA`
50: `ADH-RC4-MD5`
51: `ADH-DES-CBC3-SHA`
52:
53: ### AES ciphersuites from RFC3268, extending TLS v1.0
54:
55: `AES128-SHA`
56: `AES256-SHA`
57: `DH-DSS-AES128-SHA`
58: `DH-DSS-AES256-SHA`
59: `DH-RSA-AES128-SHA`
60: `DH-RSA-AES256-SHA`
61: `DHE-DSS-AES128-SHA`
62: `DHE-DSS-AES256-SHA`
63: `DHE-RSA-AES128-SHA`
64: `DHE-RSA-AES256-SHA`
65: `ADH-AES128-SHA`
66: `ADH-AES256-SHA`
67:
68: ### SEED ciphersuites from RFC4162, extending TLS v1.0
69:
70: `SEED-SHA`
71: `DH-DSS-SEED-SHA`
72: `DH-RSA-SEED-SHA`
73: `DHE-DSS-SEED-SHA`
74: `DHE-RSA-SEED-SHA`
75: `ADH-SEED-SHA`
76:
77: ### GOST ciphersuites, extending TLS v1.0
78:
79: `GOST94-GOST89-GOST89`
80: `GOST2001-GOST89-GOST89`
81: `GOST94-NULL-GOST94`
82: `GOST2001-NULL-GOST94`
83:
84: ### Elliptic curve cipher suites
85:
86: `ECDHE-RSA-NULL-SHA`
87: `ECDHE-RSA-RC4-SHA`
88: `ECDHE-RSA-DES-CBC3-SHA`
89: `ECDHE-RSA-AES128-SHA`
90: `ECDHE-RSA-AES256-SHA`
91: `ECDHE-ECDSA-NULL-SHA`
92: `ECDHE-ECDSA-RC4-SHA`
93: `ECDHE-ECDSA-DES-CBC3-SHA`
94: `ECDHE-ECDSA-AES128-SHA`
95: `ECDHE-ECDSA-AES256-SHA`
96: `AECDH-NULL-SHA`
97: `AECDH-RC4-SHA`
98: `AECDH-DES-CBC3-SHA`
99: `AECDH-AES128-SHA`
100: `AECDH-AES256-SHA`
101:
102: ### TLS v1.2 cipher suites
103:
104: `NULL-SHA256`
105: `AES128-SHA256`
106: `AES256-SHA256`
107: `AES128-GCM-SHA256`
108: `AES256-GCM-SHA384`
109: `DH-RSA-AES128-SHA256`
110: `DH-RSA-AES256-SHA256`
111: `DH-RSA-AES128-GCM-SHA256`
112: `DH-RSA-AES256-GCM-SHA384`
113: `DH-DSS-AES128-SHA256`
114: `DH-DSS-AES256-SHA256`
115: `DH-DSS-AES128-GCM-SHA256`
116: `DH-DSS-AES256-GCM-SHA384`
117: `DHE-RSA-AES128-SHA256`
118: `DHE-RSA-AES256-SHA256`
119: `DHE-RSA-AES128-GCM-SHA256`
120: `DHE-RSA-AES256-GCM-SHA384`
121: `DHE-DSS-AES128-SHA256`
122: `DHE-DSS-AES256-SHA256`
123: `DHE-DSS-AES128-GCM-SHA256`
124: `DHE-DSS-AES256-GCM-SHA384`
125: `ECDHE-RSA-AES128-SHA256`
126: `ECDHE-RSA-AES256-SHA384`
127: `ECDHE-RSA-AES128-GCM-SHA256`
128: `ECDHE-RSA-AES256-GCM-SHA384`
129: `ECDHE-ECDSA-AES128-SHA256`
130: `ECDHE-ECDSA-AES256-SHA384`
131: `ECDHE-ECDSA-AES128-GCM-SHA256`
132: `ECDHE-ECDSA-AES256-GCM-SHA384`
133: `ADH-AES128-SHA256`
134: `ADH-AES256-SHA256`
135: `ADH-AES128-GCM-SHA256`
136: `ADH-AES256-GCM-SHA384`
137: `AES128-CCM`
138: `AES256-CCM`
139: `DHE-RSA-AES128-CCM`
140: `DHE-RSA-AES256-CCM`
141: `AES128-CCM8`
142: `AES256-CCM8`
143: `DHE-RSA-AES128-CCM8`
144: `DHE-RSA-AES256-CCM8`
145: `ECDHE-ECDSA-AES128-CCM`
146: `ECDHE-ECDSA-AES256-CCM`
147: `ECDHE-ECDSA-AES128-CCM8`
148: `ECDHE-ECDSA-AES256-CCM8`
149:
150: ### Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
151:
152: `ECDHE-ECDSA-CAMELLIA128-SHA256`
153: `ECDHE-ECDSA-CAMELLIA256-SHA384`
154: `ECDHE-RSA-CAMELLIA128-SHA256`
155: `ECDHE-RSA-CAMELLIA256-SHA384`
156:
157: ### TLS 1.3 cipher suites
158:
159: (Note these ciphers are set with `CURLOPT_TLS13_CIPHERS` and `--tls13-ciphers`)
160:
161: `TLS_AES_256_GCM_SHA384`
162: `TLS_CHACHA20_POLY1305_SHA256`
163: `TLS_AES_128_GCM_SHA256`
164: `TLS_AES_128_CCM_8_SHA256`
165: `TLS_AES_128_CCM_SHA256`
166:
167: ## NSS
168:
169: ### Totally insecure
170:
171: `rc4`
172: `rc4-md5`
173: `rc4export`
174: `rc2`
175: `rc2export`
176: `des`
177: `desede3`
178:
179: ### SSL3/TLS cipher suites
180:
181: `rsa_rc4_128_md5`
182: `rsa_rc4_128_sha`
183: `rsa_3des_sha`
184: `rsa_des_sha`
185: `rsa_rc4_40_md5`
186: `rsa_rc2_40_md5`
187: `rsa_null_md5`
188: `rsa_null_sha`
189: `fips_3des_sha`
190: `fips_des_sha`
191: `fortezza`
192: `fortezza_rc4_128_sha`
193: `fortezza_null`
194:
195: ### TLS 1.0 Exportable 56-bit Cipher Suites
196:
197: `rsa_des_56_sha`
198: `rsa_rc4_56_sha`
199:
200: ### AES ciphers
201:
202: `dhe_dss_aes_128_cbc_sha`
203: `dhe_dss_aes_256_cbc_sha`
204: `dhe_rsa_aes_128_cbc_sha`
205: `dhe_rsa_aes_256_cbc_sha`
206: `rsa_aes_128_sha`
207: `rsa_aes_256_sha`
208:
209: ### ECC ciphers
210:
211: `ecdh_ecdsa_null_sha`
212: `ecdh_ecdsa_rc4_128_sha`
213: `ecdh_ecdsa_3des_sha`
214: `ecdh_ecdsa_aes_128_sha`
215: `ecdh_ecdsa_aes_256_sha`
216: `ecdhe_ecdsa_null_sha`
217: `ecdhe_ecdsa_rc4_128_sha`
218: `ecdhe_ecdsa_3des_sha`
219: `ecdhe_ecdsa_aes_128_sha`
220: `ecdhe_ecdsa_aes_256_sha`
221: `ecdh_rsa_null_sha`
222: `ecdh_rsa_128_sha`
223: `ecdh_rsa_3des_sha`
224: `ecdh_rsa_aes_128_sha`
225: `ecdh_rsa_aes_256_sha`
226: `ecdhe_rsa_null`
227: `ecdhe_rsa_rc4_128_sha`
228: `ecdhe_rsa_3des_sha`
229: `ecdhe_rsa_aes_128_sha`
230: `ecdhe_rsa_aes_256_sha`
231: `ecdh_anon_null_sha`
232: `ecdh_anon_rc4_128sha`
233: `ecdh_anon_3des_sha`
234: `ecdh_anon_aes_128_sha`
235: `ecdh_anon_aes_256_sha`
236:
237: ### HMAC-SHA256 cipher suites
238:
239: `rsa_null_sha_256`
240: `rsa_aes_128_cbc_sha_256`
241: `rsa_aes_256_cbc_sha_256`
242: `dhe_rsa_aes_128_cbc_sha_256`
243: `dhe_rsa_aes_256_cbc_sha_256`
244: `ecdhe_ecdsa_aes_128_cbc_sha_256`
245: `ecdhe_rsa_aes_128_cbc_sha_256`
246:
247: ### AES GCM cipher suites in RFC 5288 and RFC 5289
248:
249: `rsa_aes_128_gcm_sha_256`
250: `dhe_rsa_aes_128_gcm_sha_256`
251: `dhe_dss_aes_128_gcm_sha_256`
252: `ecdhe_ecdsa_aes_128_gcm_sha_256`
253: `ecdh_ecdsa_aes_128_gcm_sha_256`
254: `ecdhe_rsa_aes_128_gcm_sha_256`
255: `ecdh_rsa_aes_128_gcm_sha_256`
256:
257: ### cipher suites using SHA384
258:
259: `rsa_aes_256_gcm_sha_384`
260: `dhe_rsa_aes_256_gcm_sha_384`
261: `dhe_dss_aes_256_gcm_sha_384`
262: `ecdhe_ecdsa_aes_256_sha_384`
263: `ecdhe_rsa_aes_256_sha_384`
264: `ecdhe_ecdsa_aes_256_gcm_sha_384`
265: `ecdhe_rsa_aes_256_gcm_sha_384`
266:
267: ### chacha20-poly1305 cipher suites
268:
269: `ecdhe_rsa_chacha20_poly1305_sha_256`
270: `ecdhe_ecdsa_chacha20_poly1305_sha_256`
271: `dhe_rsa_chacha20_poly1305_sha_256`
272:
273: ### TLS 1.3 cipher suites
274:
275: `aes_128_gcm_sha_256`
276: `aes_256_gcm_sha_384`
277: `chacha20_poly1305_sha_256`
278:
279: ## GSKit
280:
281: Ciphers are internally defined as
282: [numeric codes](https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm),
283: but libcurl maps them to the following case-insensitive names.
284:
285: ### SSL2 cipher suites (insecure: disabled by default)
286:
287: `rc2-md5`
288: `rc4-md5`
289: `exp-rc2-md5`
290: `exp-rc4-md5`
291: `des-cbc-md5`
292: `des-cbc3-md5`
293:
294: ### SSL3 cipher suites
295:
296: `null-md5`
297: `null-sha`
298: `rc4-md5`
299: `rc4-sha`
300: `exp-rc2-cbc-md5`
301: `exp-rc4-md5`
302: `exp-des-cbc-sha`
303: `des-cbc3-sha`
304:
305: ### TLS v1.0 cipher suites
306:
307: `null-md5`
308: `null-sha`
309: `rc4-md5`
310: `rc4-sha`
311: `exp-rc2-cbc-md5`
312: `exp-rc4-md5`
313: `exp-des-cbc-sha`
314: `des-cbc3-sha`
315: `aes128-sha`
316: `aes256-sha`
317:
318: ### TLS v1.1 cipher suites
319:
320: `null-md5`
321: `null-sha`
322: `rc4-md5`
323: `rc4-sha`
324: `exp-des-cbc-sha`
325: `des-cbc3-sha`
326: `aes128-sha`
327: `aes256-sha`
328:
329: ### TLS v1.2 cipher suites
330:
331: `null-md5`
332: `null-sha`
333: `null-sha256`
334: `rc4-md5`
335: `rc4-sha`
336: `des-cbc3-sha`
337: `aes128-sha`
338: `aes256-sha`
339: `aes128-sha256`
340: `aes256-sha256`
341: `aes128-gcm-sha256`
342: `aes256-gcm-sha384`
343:
344: ## WolfSSL
345:
346: `RC4-SHA`,
347: `RC4-MD5`,
348: `DES-CBC3-SHA`,
349: `AES128-SHA`,
350: `AES256-SHA`,
351: `NULL-SHA`,
352: `NULL-SHA256`,
353: `DHE-RSA-AES128-SHA`,
354: `DHE-RSA-AES256-SHA`,
355: `DHE-PSK-AES256-GCM-SHA384`,
356: `DHE-PSK-AES128-GCM-SHA256`,
357: `PSK-AES256-GCM-SHA384`,
358: `PSK-AES128-GCM-SHA256`,
359: `DHE-PSK-AES256-CBC-SHA384`,
360: `DHE-PSK-AES128-CBC-SHA256`,
361: `PSK-AES256-CBC-SHA384`,
362: `PSK-AES128-CBC-SHA256`,
363: `PSK-AES128-CBC-SHA`,
364: `PSK-AES256-CBC-SHA`,
365: `DHE-PSK-AES128-CCM`,
366: `DHE-PSK-AES256-CCM`,
367: `PSK-AES128-CCM`,
368: `PSK-AES256-CCM`,
369: `PSK-AES128-CCM-8`,
370: `PSK-AES256-CCM-8`,
371: `DHE-PSK-NULL-SHA384`,
372: `DHE-PSK-NULL-SHA256`,
373: `PSK-NULL-SHA384`,
374: `PSK-NULL-SHA256`,
375: `PSK-NULL-SHA`,
376: `HC128-MD5`,
377: `HC128-SHA`,
378: `HC128-B2B256`,
379: `AES128-B2B256`,
380: `AES256-B2B256`,
381: `RABBIT-SHA`,
382: `NTRU-RC4-SHA`,
383: `NTRU-DES-CBC3-SHA`,
384: `NTRU-AES128-SHA`,
385: `NTRU-AES256-SHA`,
386: `AES128-CCM-8`,
387: `AES256-CCM-8`,
388: `ECDHE-ECDSA-AES128-CCM`,
389: `ECDHE-ECDSA-AES128-CCM-8`,
390: `ECDHE-ECDSA-AES256-CCM-8`,
391: `ECDHE-RSA-AES128-SHA`,
392: `ECDHE-RSA-AES256-SHA`,
393: `ECDHE-ECDSA-AES128-SHA`,
394: `ECDHE-ECDSA-AES256-SHA`,
395: `ECDHE-RSA-RC4-SHA`,
396: `ECDHE-RSA-DES-CBC3-SHA`,
397: `ECDHE-ECDSA-RC4-SHA`,
398: `ECDHE-ECDSA-DES-CBC3-SHA`,
399: `AES128-SHA256`,
400: `AES256-SHA256`,
401: `DHE-RSA-AES128-SHA256`,
402: `DHE-RSA-AES256-SHA256`,
403: `ECDH-RSA-AES128-SHA`,
404: `ECDH-RSA-AES256-SHA`,
405: `ECDH-ECDSA-AES128-SHA`,
406: `ECDH-ECDSA-AES256-SHA`,
407: `ECDH-RSA-RC4-SHA`,
408: `ECDH-RSA-DES-CBC3-SHA`,
409: `ECDH-ECDSA-RC4-SHA`,
410: `ECDH-ECDSA-DES-CBC3-SHA`,
411: `AES128-GCM-SHA256`,
412: `AES256-GCM-SHA384`,
413: `DHE-RSA-AES128-GCM-SHA256`,
414: `DHE-RSA-AES256-GCM-SHA384`,
415: `ECDHE-RSA-AES128-GCM-SHA256`,
416: `ECDHE-RSA-AES256-GCM-SHA384`,
417: `ECDHE-ECDSA-AES128-GCM-SHA256`,
418: `ECDHE-ECDSA-AES256-GCM-SHA384`,
419: `ECDH-RSA-AES128-GCM-SHA256`,
420: `ECDH-RSA-AES256-GCM-SHA384`,
421: `ECDH-ECDSA-AES128-GCM-SHA256`,
422: `ECDH-ECDSA-AES256-GCM-SHA384`,
423: `CAMELLIA128-SHA`,
424: `DHE-RSA-CAMELLIA128-SHA`,
425: `CAMELLIA256-SHA`,
426: `DHE-RSA-CAMELLIA256-SHA`,
427: `CAMELLIA128-SHA256`,
428: `DHE-RSA-CAMELLIA128-SHA256`,
429: `CAMELLIA256-SHA256`,
430: `DHE-RSA-CAMELLIA256-SHA256`,
431: `ECDHE-RSA-AES128-SHA256`,
432: `ECDHE-ECDSA-AES128-SHA256`,
433: `ECDH-RSA-AES128-SHA256`,
434: `ECDH-ECDSA-AES128-SHA256`,
435: `ECDHE-RSA-AES256-SHA384`,
436: `ECDHE-ECDSA-AES256-SHA384`,
437: `ECDH-RSA-AES256-SHA384`,
438: `ECDH-ECDSA-AES256-SHA384`,
439: `ECDHE-RSA-CHACHA20-POLY1305`,
440: `ECDHE-ECDSA-CHACHA20-POLY1305`,
441: `DHE-RSA-CHACHA20-POLY1305`,
442: `ECDHE-RSA-CHACHA20-POLY1305-OLD`,
443: `ECDHE-ECDSA-CHACHA20-POLY1305-OLD`,
444: `DHE-RSA-CHACHA20-POLY1305-OLD`,
445: `ADH-AES128-SHA`,
446: `QSH`,
447: `RENEGOTIATION-INFO`,
448: `IDEA-CBC-SHA`,
449: `ECDHE-ECDSA-NULL-SHA`,
450: `ECDHE-PSK-NULL-SHA256`,
451: `ECDHE-PSK-AES128-CBC-SHA256`,
452: `PSK-CHACHA20-POLY1305`,
453: `ECDHE-PSK-CHACHA20-POLY1305`,
454: `DHE-PSK-CHACHA20-POLY1305`,
455: `EDH-RSA-DES-CBC3-SHA`,
456:
457: ## Schannel
458:
459: Schannel allows the enabling and disabling of encryption algorithms, but not
460: specific ciphersuites. They are
461: [defined](https://docs.microsoft.com/windows/desktop/SecCrypto/alg-id) by
462: Microsoft.
463:
464: There is also the case that the selected algorithm is not supported by the
465: protocol or does not match the ciphers offered by the server during the SSL
466: negotiation. In this case curl will return error
467: `CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH`
468: and the request will fail.
469:
470: `CALG_MD2`,
471: `CALG_MD4`,
472: `CALG_MD5`,
473: `CALG_SHA`,
474: `CALG_SHA1`,
475: `CALG_MAC`,
476: `CALG_RSA_SIGN`,
477: `CALG_DSS_SIGN`,
478: `CALG_NO_SIGN`,
479: `CALG_RSA_KEYX`,
480: `CALG_DES`,
481: `CALG_3DES_112`,
482: `CALG_3DES`,
483: `CALG_DESX`,
484: `CALG_RC2`,
485: `CALG_RC4`,
486: `CALG_SEAL`,
487: `CALG_DH_SF`,
488: `CALG_DH_EPHEM`,
489: `CALG_AGREEDKEY_ANY`,
490: `CALG_HUGHES_MD5`,
491: `CALG_SKIPJACK`,
492: `CALG_TEK`,
493: `CALG_CYLINK_MEK`,
494: `CALG_SSL3_SHAMD5`,
495: `CALG_SSL3_MASTER`,
496: `CALG_SCHANNEL_MASTER_HASH`,
497: `CALG_SCHANNEL_MAC_KEY`,
498: `CALG_SCHANNEL_ENC_KEY`,
499: `CALG_PCT1_MASTER`,
500: `CALG_SSL2_MASTER`,
501: `CALG_TLS1_MASTER`,
502: `CALG_RC5`,
503: `CALG_HMAC`,
504: `CALG_TLS1PRF`,
505: `CALG_HASH_REPLACE_OWF`,
506: `CALG_AES_128`,
507: `CALG_AES_192`,
508: `CALG_AES_256`,
509: `CALG_AES`,
510: `CALG_SHA_256`,
511: `CALG_SHA_384`,
512: `CALG_SHA_512`,
513: `CALG_ECDH`,
514: `CALG_ECMQV`,
515: `CALG_ECDSA`,
516: `CALG_ECDH_EPHEM`,
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to CIPHERS.md CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs