Upravit

Sdílet prostřednictvím


TLS Cipher Suites in Windows Vista

A cipher suite is a set of cryptographic algorithms. Schannel protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:

  • Key exchange
  • Bulk encryption
  • Message authentication

Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.

Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.

Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.

Schannel supports the following cipher suites. The suites are listed in the default order in which they are chosen by the Microsoft Schannel Provider.

Important

HTTP/2 web services fail with non-HTTP/2-compatible cipher suites. To ensure your web services function with HTTP/2 clients and browsers, see How to deploy custom cipher suite ordering.

Cipher suite FIPS mode enabled Exchange Encryption Hash Protocols
TLS_RSA_WITH_AES_128_CBC_SHA Yes RSA AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_AES_256_CBC_SHA Yes RSA AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_RC4_128_SHA No RSA RC4 SHA1 TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_3DES_EDE_CBC_SHA Yes RSA 3DES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 Yes ECDH_P256 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 Yes ECDH_P384 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 Yes ECDH_P521 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 Yes ECDH_P256 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 Yes ECDH_P384 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 Yes ECDH_P521 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 Yes ECDH_P256 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 Yes ECDH_P384 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 Yes ECDH_P521 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 Yes ECDH_P256 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 Yes ECDH_P384 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 Yes ECDH_P521 AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_AES_128_CBC_SHA Yes DH AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_AES_256_CBC_SHA Yes DH AES SHA1 TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Yes DH 3DES SHA1 TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_RC4_128_MD5 No RSA RC4 MD5 TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
SSL_CK_RC4_128_WITH_MD5 No RSA RC4 MD5 SSL 2.0
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 No RSA 3DES MD5 SSL 2.0
TLS_RSA_WITH_NULL_MD5 No RSA MD5 TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_NULL_SHA No RSA SHA1 TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

The following cipher suites are supported by Schannel; however, they are not present by default. They must be added as necessary. For information about how to add cipher suites to the Schannel provider, see Prioritizing Schannel Cipher Suites.

  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • SSL_CK_RC4_128_EXPORT40_MD5
  • SSL_CK_DES_64_CBC_WITH_MD5
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_NULL_MD5
  • TLS_RSA_WITH_NULL_SHA
  • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA

Windows Server 2003 and Windows XP: For information about supported cipher suites, see the following topics.

Topic Description
TLS Cipher Suites Information about the cipher suites available with the TLS protocol in Windows Server 2003 and Windows XP.
Secure Sockets Layer Protocol General information about SSL 2.0 and 3.0, including the available cipher suites in Windows Server 2003 and Windows XP.