TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_AES_128_CBC_SHA

tomcat ssl certificate ssl-certificate catalina
17,288

IANA maintains a registry of TLS cipher suites at TLS Parameters. In SSL/TLS, cipher suites are specified by 2 octets.

TLS_RSA_WITH_AES_128_CBC_SHA uses 0x00,0x2F and its specified in RFC 3268, AES Ciphersuites for TLS. It supplemented the cipher suites from the original The TLS Protocol Version 1.0 of RFC 2246. RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2 included it out of the box.

There is no SSL_RSA_WITH_AES_128_CBC_SHA per IANA. Its not listed in the draft The SSL Protocol Version 3.0. And its not listed in RFC 6101, The Secure Sockets Layer (SSL) Protocol Version 3.0 either. I suspect its a synonym or alias used by some libraries after RFC 3268.

Related: SSL protocols are not under IETF control. See, for example, RFC 5746, Section 4.5:

While SSLv3 is not a protocol under IETF change control (see [SSLv3]), it was the original basis for TLS and most TLS implementations also support SSLv3.

OpenSSL does provide TLS_RSA_WITH_AES_128_CBC_SHA - its called AES128-SHA in the cipher suite list. OpenSSL does not provide SSL_RSA_WITH_AES_128_CBC_SHA. See the ciphers(1) documentation.

Below, both a TLSv1 and SSLv3 connections are made with AES128-SHA.

$ openssl s_client -tls1 -connect google.com:443 -cipher "AES128-SHA"
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
...

And

$ openssl s_client -ssl3 -connect google.com:443 -cipher "AES128-SHA"
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
...
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES128-SHA
...

My guess is SSL_RSA_WITH_AES_128_CBC_SHA was added to SSLv3 around the time RFC 3268 was published. But I can't find a document covering it.

In either case, the primitves are the same: RSA key transport, AES block cipher, CBC mode, SHA HAMC, etc. The only difference is the protocol (SSLv3 vs. TLS 1.0 and friends).

Share:
17,288
cateof
Author by

cateof

Problem exists between the keyboard and the chair

Updated on June 24, 2022

Comments

  • cateof
    cateof almost 2 years

    Is there any difference between these cipher suites? They look the same however the first three letters are different.

    I am referring to TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_AES_128_CBC_SHA.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

need help Debugging SSL handshake in tomcat
Connecting to MySQL server with ssl
Error while creating self-signed SSL certificate
Spring security, ssl ldap and no certificate
SSL certificate not accepted
converting .cer to .pem returns error 'unable to load certificate'
How to disable certificate validation in java
GoDaddy SSL Certificate Keystore Installation Tomcat7
Create a Self-Signed Certificate within IIS Express
HowTo setup Tomcat serving two SSL Certificates using SNI?