Ahhh, it looks like Appendix A.5 answers my questions more easily than Appendix C.
I believe these are the answers: In fact, TLS 1.1 does prohibit the use of the export cipher suites in TLS 1.0. So there are effectively a few (9 by my count) cipher suites that supported in TLS 1.0 that are prohibited in TLS 1.1. No, each revision of the of TLS does not implicitly support the list of cipher suites from the prior versions. For example, it seems that TLS v1.2 dropped support for single DES cipher suites. Yes, the AES cipher suites defined in RFC3268 are supported in TLS 1.1 and 1.2. I mistakenly thought RFC3268 was specific to TLS 1.0. It is for "TLS" and not confined to a particular version - although TLS 1.2 explicitly incorporated them into its RFC. For the most part, the "SSLv3" designation on the "openssl ciphers -v" output means that the cipher suite is at least support by SSL 3 and TLS 1.0 (and TLS 1.1 except for the export cipher suites as noted above). The "TLSv1.2" designation means that the cipher suite is specific to TLS 1.2. > > I'm a little confused about which cipher suites are supported by which > SSL/TLS protocol versions. > > I'm using Appendix C of the TLS 1.0, 1.1, and 1.2 RFCs, respectively, as a > starting point for which cipher suites are supported in which version of the > protocol, but I'm not sure how to parse the fact that some cipher suites are > missing between documents. For example, the "export" cipher suites do > not appear in Appendix C of the TLS 1.1 RFC. Does that mean that they are > not > available for use in TLS 1.1? Or does each revision of TLS implicitly > support > the list of cipher suites from the prior versions and then simply add new > ones? > > On a related note, I assume the cipher suites defined in their own RFCs (AES > in > RFC3268, Cameillia in RFC4132, etc.) for TLS 1.0 are also supported in TLS > 1.1 > and 1.2? > > It's very possible all of this is spelled out somewhere that I haven't > come across yet. > > What does is mean when "openssl cipers -tls -v" shows > "SSLv3"? I assume that means that the specific cipher suite is > supporte in SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2? The cipher suites that > are > exclusive to TLS 1.2 are marked by "TLSv1.2"? > > Thanks. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
