gnutls on RHEL6

Updated -

Details of the capabilities of gnutls-2.12.23 on RHEL6

This article is part of the Securing Applications Collection

Due to the serious issues with the design of TLS and implementation issues in openssl uncovered during the lifetime of RHEL6 you should always use the latest version but at least

gnutls-2.8.5-14.el6_5

Capabilities

Protocols

  • TLSv1.2
  • TLSv1.1
  • TLSv1
  • SSLv3

Ciphers

Suite Name Cipher Suite Protocol Level
TLS_ANON_DH_ARCFOUR_MD5 0x0018 SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x001b SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1 0x0034 SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1 0x003a SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x0046 TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x0089 TLS1.0
TLS_ANON_DH_AES_128_CBC_SHA256 0x006c TLS1.2
TLS_ANON_DH_AES_256_CBC_SHA256 0x006d TLS1.2
TLS_PSK_SHA_ARCFOUR_SHA1 0x008a TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x008b TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1 0x008c TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1 0x008d TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x008e TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x008f TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x0090 TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x0091 TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc01a TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1 0xc01d TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1 0xc020 TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc01c TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc01b TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc01f TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc01e TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc022 TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc021 TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1 0x0066 TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x0013 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x0032 SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x0038 SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x0044 TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x0087 TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA256 0x0040 TLS1.2
TLS_DHE_DSS_AES_256_CBC_SHA256 0x006a TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x0016 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x0033 SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x0039 SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x0045 TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x0088 TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA256 0x0067 TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256 0x006b TLS1.2
TLS_RSA_NULL_MD5 0x0001 SSL3.0
TLS_RSA_NULL_SHA1 0x0002 SSL3.0
TLS_RSA_NULL_SHA256 0x003b TLS1.2
TLS_RSA_ARCFOUR_SHA1 0x0005 SSL3.0
TLS_RSA_ARCFOUR_MD5 0x0004 SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1 0x000a SSL3.0
TLS_RSA_AES_128_CBC_SHA1 0x002f SSL3.0
TLS_RSA_AES_256_CBC_SHA1 0x0035 SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1 0x0041 TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1 0x0084 TLS1.0
TLS_RSA_AES_128_CBC_SHA256 0x003c TLS1.2
TLS_RSA_AES_256_CBC_SHA256 0x003d TLS1.2

Certificates

  • certificates with RSA keys and SHA-1 or SHA-256 signatures.
  • certificates with EC keys and DSA or SHA-256 signatures

Hashes

  • md5 message digest algorithm
  • sha1 message digest algorithm
  • sha224 message digest algorithm
  • sha256 message digest algorithm
  • sha384 message digest algorithm
  • sha512 message digest algorithm

Additional Notes

Capabilities as given by gnutls-cli

$ gnutls-cli -l
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5                             0x00, 0x18  SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1                       0x00, 0x1b  SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1                        0x00, 0x34  SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1                        0x00, 0x3a  SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1                   0x00, 0x46  TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1                   0x00, 0x89  TLS1.0
TLS_ANON_DH_AES_128_CBC_SHA256                      0x00, 0x6c  TLS1.2
TLS_ANON_DH_AES_256_CBC_SHA256                      0x00, 0x6d  TLS1.2
TLS_PSK_SHA_ARCFOUR_SHA1                            0x00, 0x8a  TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1                       0x00, 0x8b  TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1                        0x00, 0x8c  TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1                        0x00, 0x8d  TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1                        0x00, 0x8e  TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1                   0x00, 0x8f  TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1                    0x00, 0x90  TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1                    0x00, 0x91  TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1                       0xc0, 0x1a  TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1                        0xc0, 0x1d  TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1                        0xc0, 0x20  TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1                   0xc0, 0x1c  TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1                   0xc0, 0x1b  TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1                    0xc0, 0x1f  TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1                    0xc0, 0x1e  TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1                    0xc0, 0x22  TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1                    0xc0, 0x21  TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1                            0x00, 0x66  TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1                       0x00, 0x13  SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1                        0x00, 0x32  SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1                        0x00, 0x38  SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                   0x00, 0x44  TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                   0x00, 0x87  TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA256                      0x00, 0x40  TLS1.2
TLS_DHE_DSS_AES_256_CBC_SHA256                      0x00, 0x6a  TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1                       0x00, 0x16  SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1                        0x00, 0x33  SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1                        0x00, 0x39  SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                   0x00, 0x45  TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                   0x00, 0x88  TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA256                      0x00, 0x67  TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256                      0x00, 0x6b  TLS1.2
TLS_RSA_NULL_MD5                                    0x00, 0x01  SSL3.0
TLS_RSA_NULL_SHA1                                   0x00, 0x02  SSL3.0
TLS_RSA_NULL_SHA256                                 0x00, 0x3b  TLS1.2
TLS_RSA_ARCFOUR_SHA1                                0x00, 0x05  SSL3.0
TLS_RSA_ARCFOUR_MD5                                 0x00, 0x04  SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1                           0x00, 0x0a  SSL3.0
TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0
TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1                       0x00, 0x41  TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1                       0x00, 0x84  TLS1.0
TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.2
TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.2
Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, MAC-NULL
Key exchange algorithms: ANON-DH, RSA, DHE-RSA, DHE-DSS, PSK, DHE-PSK
Compression: COMP-DEFLATE, COMP-NULL
Public Key Systems: RSA, DSA
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-RSA-MD5, SIGN-RSA-MD2