NSS on RHEL8

Updated -

Capabilities of NSS (v3.41.0) on RHEL8

This article is part of the Securing Applications Collection

Cryptography in RHEL8

RHEL8 has a new mechnism to centralise the cryptographic defaults for a machine.
This is handled by the crypto-policies package. Details of the rationale and update policy can be found in other documents

Capabilities

Protocols

  • TLSv1.3
  • TLSv1.2
  • TLSv1.1
  • TLSv1

Cipher Suites

Suite Name Cipher Suite Key Exchange Auth Algo Symmetric Cipher Effective Bits MAC Algo Enabled Class Export/Domestic
TLS_AES_128_GCM_SHA256 0x1301 TLS 1.3 TLS 1.3 AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_CHACHA20_POLY1305_SHA256 0x1303 TLS 1.3 TLS 1.3 CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_AES_256_GCM_SHA384 0x1302 TLS 1.3 TLS 1.3 AES-GCM 256 AEAD Enabled Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b ECDHE ECDSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f ECDHE RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xcca9 ECDHE ECDSA CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xcca8 ECDHE RSA CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xc02c ECDHE ECDSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030 ECDHE RSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xc00a ECDHE ECDSA AES 256 SHA1 Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xc009 ECDHE ECDSA AES 128 SHA1 Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013 ECDHE RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xc023 ECDHE ECDSA AES 128 SHA256 Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xc027 ECDHE RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014 ECDHE RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xc024 ECDHE ECDSA AES 256 SHA384 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xc028 ECDHE RSA AES 256 SHA384 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xc008 ECDHE ECDSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xc012 ECDHE RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xc007 ECDHE ECDSA RC4 128 SHA1 Disabled Domestic
TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xc011 ECDHE RSA RC4 128 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009e DHE RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xccaa DHE RSA CHACHA20POLY1305 256 AEAD Enabled Domestic
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00a2 DHE DSA AES-GCM 128 AEAD Disabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009f DHE RSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00a3 DHE DSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 DHE RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 DHE DSA AES 128 SHA1 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 DHE RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 DHE DSA AES 128 SHA256 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 DHE RSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 DHE DSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 DHE RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 DHE DSA AES 256 SHA1 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006b DHE RSA AES 256 SHA256 Enabled FIPS Domestic
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006a DHE DSA AES 256 SHA256 Disabled FIPS Domestic
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 DHE RSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 DHE DSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 DHE RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 DHE DSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 DHE DSA RC4 128 SHA1 Disabled Domestic
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xc004 ECDH ECDSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xc00e ECDH RSA AES 128 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xc005 ECDH ECDSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xc00f ECDH RSA AES 256 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xc003 ECDH ECDSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xc00d ECDH RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xc002 ECDH ECDSA RC4 128 SHA1 Disabled Domestic
TLS_ECDH_RSA_WITH_RC4_128_SHA 0xc00c ECDH RSA RC4 128 SHA1 Disabled Domestic
TLS_RSA_WITH_AES_128_GCM_SHA256 0x009c RSA RSA AES-GCM 128 AEAD Enabled FIPS Domestic
TLS_RSA_WITH_AES_256_GCM_SHA384 0x009d RSA RSA AES-GCM 256 AEAD Disabled FIPS Domestic
TLS_RSA_WITH_AES_128_CBC_SHA 0x002f RSA RSA AES 128 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c RSA RSA AES 128 SHA256 Enabled FIPS Domestic
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 RSA RSA CAMELLIA 128 SHA1 Disabled Domestic
TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 RSA RSA AES 256 SHA1 Enabled FIPS Domestic
TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d RSA RSA AES 256 SHA256 Enabled FIPS Domestic
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 RSA RSA CAMELLIA 256 SHA1 Disabled Domestic
TLS_RSA_WITH_SEED_CBC_SHA 0x0096 RSA RSA SEED 128 SHA1 Disabled FIPS Domestic
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a RSA RSA 3DES 112 SHA1 Disabled FIPS Domestic
TLS_RSA_WITH_RC4_128_SHA 0x0005 RSA RSA RC4 128 SHA1 Disabled Domestic
TLS_RSA_WITH_RC4_128_MD5 0x0004 RSA RSA RC4 128 MD5 Disabled Domestic
TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 DHE RSA DES 56 SHA1 Disabled Domestic
TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 DHE DSA DES 56 SHA1 Disabled Domestic
TLS_RSA_WITH_DES_CBC_SHA 0x0009 RSA RSA DES 56 SHA1 Disabled Domestic
TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xc006 ECDHE ECDSA NULL 0 SHA1 Disabled Domestic
TLS_ECDHE_RSA_WITH_NULL_SHA 0xc010 ECDHE RSA NULL 0 SHA1 Disabled Domestic
TLS_ECDH_RSA_WITH_NULL_SHA 0xc00b ECDH RSA NULL 0 SHA1 Disabled Domestic
TLS_ECDH_ECDSA_WITH_NULL_SHA 0xc001 ECDH ECDSA NULL 0 SHA1 Disabled Domestic
TLS_RSA_WITH_NULL_SHA 0x0002 RSA RSA NULL 0 SHA1 Disabled Domestic
TLS_RSA_WITH_NULL_SHA256 0x003b RSA RSA NULL 0 SHA256 Disabled Domestic
TLS_RSA_WITH_NULL_MD5 0x0001 RSA RSA NULL 0 MD5 Disabled Domestic

Certificates

  • certificates with RSA keys and SHA-1 or SHA-256 signatures.
  • certificates with EC keys and DSA or SHA-256 signatures

Hashes

  • md5 message digest algorithm
  • sha1 message digest algorithm
  • sha message digest algorithm
  • sha224 message digest algorithm
  • sha256 message digest algorithm
  • sha384 message digest algorithm
  • sha512 message digest algorithm

Additional Notes

  • Component
  • nss