The TLS protocols list options are used in conjunction with the Cipher suites list options to determine the exact collection of ciphers that are offered to a client.
If a cipher list is specified and is part of the protocol that is selected by this option then it is offered for use for the connecting peer. For example, if only the SSL3 protocol is specified and an RSA certificate is used and the cipher suites specified are:
kEECDH+ECDSA kEECDH kEDH HIGH +SHA !RC4 !aNULL !eNULL !MEDIUM !LOW !3DES !MD5 !EXP
Then the available collection is limited to the following cipher suites:
Cipher Suite Name (OpenSSL) | Key Exchange | Encryption | Bits |
---|---|---|---|
ECDHE-RSA-AES256-SHA | ECDH 256 | AES | 256 |
DHE-RSA-AES256-SHA | DH 1024 | AES | 256 |
DHE-RSA-CAMELLIA256-SHA | DH 1024 | Camellia | 256 |
AES256-SHA | RSA | AES | 256 |
CAMELLIA256-SHA | RSA | Camellia | 256 |
ECDHE-RSA-AES128-SHA | ECDH 256 | AES | 128 |
DHE-RSA-AES128-SHA | DH 1024 | AES | 128 |
DHE-RSA-CAMELLIA128-SHA | DH 1024 | DH 1024 | 128 |
AES128-SHA | RSA | AES | 128 |
CAMELLIA128-SHA | RSA | Camellia | 128 |
If the SSL3 protocol is replaced by a more modern and secure protocol, such as the TLS1.2 protocol then the following cipher suites would be available for use:
Cipher Suite Name (OpenSSL) | Key Exchange | Encryption | Bits |
---|---|---|---|
ECDHE-RSA-AES256-GCM-SHA384 | ECDH 256 | AESGCM | 256 |
ECDHE-RSA-AES256-SHA384 | ECDH 256 | AES | 256 |
ECDHE-RSA-AES256-SHA | ECDH 256 | AES | 256 |
DHE-RSA-AES256-GCM-SHA384 | DH 1024 | AESGCM | 256 |
DHE-RSA-AES256-SHA256 | DH 1024 | AES | 256 |
DHE-RSA-AES256-SHA | DH 1024 | AES | 256 |
DHE-RSA-CAMELLIA256-SHA | DH 1024 | Camellia | 256 |
AES256-GCM-SHA384 | RSA | AESGCM | 256 |
AES256-SHA256 | RSA | AES | 256 |
AES256-SHA | RSA | AES | 256 |
CAMELLIA256-SHA | RSA | Camellia | 256 |
ECDHE-RSA-AES128-GCM-SHA256 | ECDH 256 | AESGCM | 128 |
ECDHE-RSA-AES128-SHA256 | ECDH 256 | AES | 128 |
ECDHE-RSA-AES128-SHA | ECDH 256 | AES | 128 |
DHE-RSA-AES128-GCM-SHA256 | DH 1024 | AESGCM | 128 |
DHE-RSA-AES128-SHA256 | DH 1024 | AES | 128 |
DHE-RSA-AES128-SHA | DH 1024 | AES | 128 |
DHE-RSA-CAMELLIA128-SHA | DH 1024 | Camellia | 128 |
AES128-GCM-SHA256 | RSA | AESGCM | 128 |
AES128-SHA256 | RSA | AES | 128 |
AES128-SHA | RSA | AES | 128 |
CAMELLIA128-SHA | RSA | Camellia | 128 |
Enterprise Server now uses OpenSSL 3.0. With OpenSSL 3.0, TLS protocol versions older than 1.2 are not available unless the security level is set to 0 by specifying @SECLEVEL=0 in the cipher-suite list..