Dependencies Between TLS Protocols and the Cipher Suites

The TLS protocols list options are used in conjunction with the Cipher suites list options to determine the exact collection of ciphers that are offered to a client.

If a cipher list is specified and is part of the protocol that is selected by this option then it is offered for use for the connecting peer. For example, if only the SSL3 protocol is specified and an RSA certificate is used and the cipher suites specified are:

kEECDH+ECDSA kEECDH kEDH HIGH +SHA !RC4 !aNULL !eNULL !MEDIUM !LOW !3DES !MD5 !EXP

Then the available collection is limited to the following cipher suites:

Cipher Suite Name (OpenSSL) Key Exchange Encryption Bits
ECDHE-RSA-AES256-SHA ECDH 256 AES 256
DHE-RSA-AES256-SHA DH 1024 AES 256
DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256
AES256-SHA RSA AES 256
CAMELLIA256-SHA RSA Camellia 256
ECDHE-RSA-AES128-SHA ECDH 256 AES 128
DHE-RSA-AES128-SHA DH 1024 AES 128
DHE-RSA-CAMELLIA128-SHA DH 1024 DH 1024 128
AES128-SHA RSA AES 128
CAMELLIA128-SHA RSA Camellia 128

If the SSL3 protocol is replaced by a more modern and secure protocol, such as the TLS1.2 protocol then the following cipher suites would be available for use:

Cipher Suite Name (OpenSSL) Key Exchange Encryption Bits
ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256
ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256
ECDHE-RSA-AES256-SHA ECDH 256 AES 256
DHE-RSA-AES256-GCM-SHA384 DH 1024 AESGCM 256
DHE-RSA-AES256-SHA256 DH 1024 AES 256
DHE-RSA-AES256-SHA DH 1024 AES 256
DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256
AES256-GCM-SHA384 RSA AESGCM 256
AES256-SHA256 RSA AES 256
AES256-SHA RSA AES 256
CAMELLIA256-SHA RSA Camellia 256
ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128
ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128
ECDHE-RSA-AES128-SHA ECDH 256 AES 128
DHE-RSA-AES128-GCM-SHA256 DH 1024 AESGCM 128
DHE-RSA-AES128-SHA256 DH 1024 AES 128
DHE-RSA-AES128-SHA DH 1024 AES 128
DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128
AES128-GCM-SHA256 RSA AESGCM 128
AES128-SHA256 RSA AES 128
AES128-SHA RSA AES 128
CAMELLIA128-SHA RSA Camellia 128
Note: The relevant protocol cipher list definitions can be found in the IETF RFC covering each protocol.

Enterprise Server now uses OpenSSL 3.0. With OpenSSL 3.0, TLS protocol versions older than 1.2 are not available unless the security level is set to 0 by specifying @SECLEVEL=0 in the cipher-suite list..