When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in the list that is supported by the client is selected.
The SSLFIPSEnable directive enables Federal Information Processing Standards (FIPS). When the SSLFIPSEnable directive is enabled, the set of ciphers available is restricted as shown, and SSLv2 and SSLv3 are disabled as well as TLSv11 and TLSv12. Only TLSv10 is enabled for FIPS compliance.
Short name | Long name | Key size (bits) | FIPS | SSLV2 | SSLV3 | TLSv10 | TLSv11 | TLSv12 |
35 | SSL_RSA_WITH_RC4_128_SHA | 128 | - | - | Y | Y | Y | Y |
34 | SSL_RSA_WITH_RC4_128_MD5 | 128 | - | - | Y | Y | Y | - |
9C | TLS_RSA_WITH_AES_128_GCM_SHA256 | 128 | Y | - | - | - | - | d |
9D | TLS_RSA_WITH_AES_256_GCM_SHA384 | 256 | Y | - | - | - | - | d |
3C | TLS_RSA_WITH_AES_128_CBC_SHA256 | 128 | Y | - | - | - | - | d |
3D | TLS_RSA_WITH_AES_256_CBC_SHA256 | 256 | Y | - | - | - | - | d |
2F | TLS_RSA_WITH_AES_128_CBC_SHA | 128 | Y | - | Y* | d | d | d |
35b | TLS_RSA_WITH_AES_256_CBC_SHA | 256 | Y | - | Y* | d | d | d |
3A | SSL_RSA_WITH_3DES_EDE_CBC_SHA | 168 | Y | - | Y* | Y | Y | Y |
C007 | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 128 | Y | - | - | - | - | Y |
C008 | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 168 | Y | - | - | - | - | Y |
C009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 128 | Y | - | - | - | - | d** |
C00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 256 | Y | - | - | - | - | d** |
C010 | TLS_ECDHE_RSA_WITH_NULL_SHA | 0 | Y | - | - | - | - | Y |
C011 | TLS_ECDHE_RSA_WITH_RC4_128_SHA | 128 | Y | - | - | - | - | Y |
C012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 168 | Y | - | - | - | - | Y |
C013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 128 | Y | - | - | - | - | d** |
C014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 256 | Y | - | - | - | - | d** |
C023 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 128 | Y | - | - | - | - | d** |
C024 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 256 | Y | - | - | - | - | d** |
C027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 128 | Y | - | - | - | - | d** |
C028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 256 | Y | - | - | - | - | d** |
C02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 128 | Y | - | - | - | - | d** |
C02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 256 | Y | - | - | - | - | d** |
C02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 128 | Y | - | - | - | - | d** |
C030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 256 | Y | - | - | - | - | d** |
Weaker ciphers, not enabled by default:
Short name | Long name | Key size (bits) | FIPS | SSLV2 | SSLV3 | TLSv10 | TLSv11 | TLSv12 |
39 | SSL_RSA_WITH_DES_CBC_SHA | 56 | - | - | y | y | y | - |
33 | SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 40 | - | - | y | y | - | - |
36 | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | 40 | - | - | y | y | - | - |
62 | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | 56 | - | - | y | y | - | - |
64 | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | 56 | - | - | y | y | - | - |
32 | SSL_RSA_WITH_NULL_SHA | 0 | - | - | y | y | y | y |
31 | SSL_RSA_WITH_NULL_MD5 | 0 | - | - | y | y | y | - |
3B | TLS_RSA_WITH_NULL_SHA256 | 0 | Y | - | - | - | - | y |
30 | SSL_NULL_WITH_NULL_NULL | 0 | - | - | y | y | y | y |
27 | SSL_DES_192_EDE3_CBC_WITH_MD5 | 168 | - | y | - | - | - | - |
21 | SSL_RC4_128_WITH_MD5 | 128 | - | y | - | - | - | - |
23 | SSL_RC2_CBC_128_CBC_WITH_MD5 | 128 | - | y | - | - | - | - |
26 | SSL_DES_64_CBC_WITH_MD5 | 56 | - | y | - | - | - | - |
24 | SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 | 40 | - | y | - | - | - | - |
22 | SSL_RC4_128_EXPORT40_WITH_MD5 | 40 | - | y | - | - | - | - |
FE | SSL_RSA_FIPS_WITH_DES_CBC_SHA | 56 | - | - | - | - | - | - |
FF | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | 168 | - | - | - | - | - | - |