Accepted protocols and cipher suites

To comply with FIPS 140-2, you need to ensure only accepted protocols and cipher suites are enabled.

Accepted protocols

No version of the SSL protocol can be used in FIPS mode. The TLS protocol may be used in FIPS mode with the restriction that only FIPS-approved algorithms may be used. To use the TLS protocol exclusively in the SSL-C toolkit, call ssl_SetProtocolSupport() with one of the following parameters:
  • SSL_PROTOCOL_TLSV1_CLIENT
  • SSL_PROTOCOL_TLSV1_SERVER
  • SSL_PROTOCOL_TLSV11_CLIENT
  • SSL_PROTOCOL_TLSV11_SERVER
  • SSL_PROTOCOL_TLSV12_CLIENT
  • SSL_PROTOCOL_TLSV12_SERVER
This will force the handshake to use a version of the TLS protocol and exclude all other protocols.

Accepted cipher suites

You must enable only cipher suites from among the following list:
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_128_CBC_SHA256
  • TLS_DH_anon_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Deprecated Cipher Suites

As noted in the introduction, NIST strongly discourages the use of the DES algorithm. Cipher suites that use DES will not be acceptable in the future, and you may wish to consider this when choosing which suite to use. The cipher suites that use DES are the following:
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_DES_CBC_SHA
Parent topic: Satisfying FIPS 140-2 requirements