Author Archives: morgan

Tracking SSL/TLS cipher usage

I recently needed to restrict the list of ciphers that my LDAP server allowed. However, I wanted to make sure that my LDAP clients (many not under my control) would still be able to negotiate a cipher after I made the change. I was able to capture SSL/TLS cipher usage and parse the log into a report.

First, capture the SSL/TLS handshakes from the server using tshark (wireshark):

tshark -l -f ‘tcp port 389’ -2R ‘ssl.handshake.type==2 or ssl.handshake.type==1’ -T fields -e ssl.handshake.type -e ssl.record.version -e ssl.handshake.version -e ssl.handshake.ciphersuite -e ssl.handshake.cipherspec -e ip.src -e ip.dst > ldap-cipher-track1.log

I ran this a second time for port 636 into a separate file so that I could identify which clients were using LDAP vs LDAPS.

Log entries look like:

1 0x0301 0x0301 0xc009,0xc013,0x002f,0xc004,0xc00e,0x0033,0x0032,0xc008,0xc012,0x000a,0xc003,0xc00d,0x0016,0x0013,0xc007,0xc011,0x0005,0xc002,0xc00c,0x0004,0x00ff 128.193.4.147 128.193.4.137
2,11,12,14 0x0301 0x0301 0xc011 128.193.4.137 128.193.4.147

Lines that begin with “1” are the Client Hello. Lines that begin with “2” are the Server Hello. The Client Hello includes the list of ciphers that the client supports. The Server Hello tells the client which cipher the server selected. Note: We don’t need the server’s private key because we are not decrypting anything.

After we have the log file, we parse it with Perl to report the following:

1. Client ciphers offered – a summarized list of all the ciphers offered
2. Ciphers selected – a summarized list of the ciphers actually selected
3. Clients using weak ciphers – a list of clients by IP with the weak ciphers they used and a list of strong ciphers they support
4. Clients that don’t support any of our enabled ciphers – any clients that won’t support our desired list of enabled ciphers

Example output:

Client ciphers offered:
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_RC4_128_SHA (0x0005)

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Ciphers selected:
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Clients using weak ciphers:

10.193.14.179:
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Strong Ciphers Offered: 0x000a 0x0013 0x0016 0x002f 0x0032 0x0033 0x00ff 0xc003 0xc004 0xc008 0xc009 0xc00d 0xc00e 0xc012 0xc013

Clients that don’t support any of our enabled ciphers:

parse-cipher-log.pl

#!/usr/bin/perl -w

# Parses the tshark dump of a SSL handshake for ciphers
# tshark command:
#   tshark -l -f 'tcp port 636' -2R 'ssl.handshake.type==2 or ssl.handshake.type==1' -T fields \
#        -e ssl.handshake.type -e ssl.record.version -e ssl.handshake.version \
#        -e ssl.handshake.ciphersuite -e ip.src -e ip.dst

# Parse the cipher mapping file so we can display pretty names
my ($code, $string);
my %ciphermap = ();
my %weakciphers = ();
open(MAP, "tls-parameters-4.csv") or die ("Could not open cipher mapping file for read - $!");
while (<MAP>) {
	if ( /^"0x([a-fA-F\d]{2}),0x([a-fA-F\d]{2})",(.+?),/ ) {
		$code = "0x" . lc($1) . lc($2);
		$string = $3;
		#print "$code $string\n";
		$ciphermap{$code} = $string;

		# weak ciphers
		$weakciphers{$code}++ if ($string =~ /EXPORT/);
		$weakciphers{$code}++ if ($string =~ /MD5/);
		$weakciphers{$code}++ if ($string =~ /RC2/);
		$weakciphers{$code}++ if ($string =~ /RC4/);
		$weakciphers{$code}++ if ($string =~ /IDEA/);
		$weakciphers{$code}++ if ($string =~ /_DES/);
	}
	else {
		#print "Could not parse cipher mapping line: $_";
	}
}


# Parse the tshark dump on STDIN
my ($types, $recver, $hsver, $ciphers, $srcip, $dstip, $tmp, $type, $cipher);
my %clientciphers = ();
my %ciphersbyip = ();
my %serverciphers = ();
my %weakclients = ();
while (<STDIN>) {
	# Trying to match input data like:
	# 1       0x0301  0x0301  0x00ff,0xc00a,0xc014,0x0088,0x0087,0x0039,0x0038,0xc00f,0xc005,0x0084,0x0035,0xc007,0xc009,0xc011,0xc013,0x0045,0x0044,0x0066,0x0033,0x0032,0xc00c,0xc00e,0xc002,0xc004,0x0096,0x0041,0x0004,0x0005,0x002f,0xc008,0xc012,0x0016,0x0013,0xc00d,0xc003,0xfeff,0x000a,0x0015,0x0012,0xfefe,0x0009,0x0064,0x0062,0x0003,0x0006    128.193.4.30    128.193.4.29
	# 2,11,12,14      0x0301  0x0301  0xc014  128.193.4.29    128.193.4.30

	if ( /^([\d,]+)\t([x\da-f,]+)\t(0x\d+)\t([x\da-f,]*)\t(\d+\.\d+\.\d+\.\d+)\t(\d+\.\d+\.\d+\.\d+)$/ ) {
		$types = $1;
		$recver = $2;
		$hsver = $3;
		$ciphers = $4;
		$srcip = $5;
		$dstip = $6;

		# We only care if the type is 1 (ClientHello) or 2 (ServerHello), not the other types
		foreach $tmp (split(/,/, $types)) {
			$type = 1 if ($tmp == 1);
			$type = 2 if ($tmp == 2);
		}
		if ($type != 1 and $type != 2) {
			print "SSL Handshake Type was not 1 (ClientHello) or 2 (ServerHello)\n";
			next;
		}

		foreach $cipher (split(/,/, $ciphers)) {
			if ($type == 1) {
				$ciphersbyip{$srcip}{$cipher}++;
				$clientciphers{$cipher}++;
			}
			elsif ($type == 2) {
				$serverciphers{$cipher}++;
				# is this a weak cipher we selected?
				if (defined($weakciphers{$cipher})) {
					$weakclients{$dstip}{$cipher}++;
				}
			}
			else {
				print "Unexpected SSL Handshake Type = $type\n";
			}
		}
	}
	else {
		print "Error matching line: $_";
	}
}


# Print some usage stats
print "Client ciphers offered:\n";
foreach $cipher (sort keys %clientciphers) {
	if (defined($ciphermap{$cipher})) {
		print "  $ciphermap{$cipher} ($cipher)\n";
	}
	else {
		print "  $cipher\n";
	}
}

print "Ciphers selected:\n";
foreach $cipher (sort keys %serverciphers) {
	if (defined($ciphermap{$cipher})) {
		print "  $ciphermap{$cipher} ($cipher)\n";
	}
	else {
		print "  $cipher\n";
	}
}

print "Clients using weak ciphers:\n";
foreach $dstip (sort keys %weakclients) {
	print "\n  $dstip:\n";
	foreach $cipher (sort keys %{$weakclients{$dstip}}) {
		print "    $ciphermap{$cipher} ($cipher) ";
	}
	print "\n";
	print "    Strong Ciphers Offered: ";
	foreach $cipher (sort keys %{$ciphersbyip{$dstip}}) {
		next if (defined($weakciphers{$cipher}));
		print "$cipher ";
	}
	print "\n";
}

parse-cipher-log-enabled.pl

#!/usr/bin/perl -w

# Parses the tshark dump of a SSL handshake for ciphers
# tshark command:
#   tshark -l -f 'tcp port 636' -2R 'ssl.handshake.type==2 or ssl.handshake.type==1' -T fields \
#        -e ssl.handshake.type -e ssl.record.version -e ssl.handshake.version \
#        -e ssl.handshake.ciphersuite -e ssl.handshake.cipherspec -e ip.src -e ip.dst


# Get the list of enabled ciphers
my %enabledciphers = ();
open(ENABLED, "enabled-ciphers.txt") or die ("Could not open enabled ciphers file for read - $!");
while (<ENABLED>) {
	chomp;
	$enabledciphers{$_}++;
}
close(ENABLED);


# Parse the cipher mapping file so we can display pretty names
my ($code, $string);
my %ciphermap = ();
my %weakciphers = ();
open(MAP, "tls-parameters-4.csv") or die ("Could not open cipher mapping file for read - $!");
while (<MAP>) {
	if ( /^"0x([a-fA-F\d]{2}),0x([a-fA-F\d]{2})",(.+?),/ ) {
		$code = "0x" . lc($1) . lc($2);
		$string = $3;
		#print "$code $string\n";
		$ciphermap{$code} = $string;

		# weak ciphers
		$weakciphers{$code}++ if ($string =~ /EXPORT/);
		$weakciphers{$code}++ if ($string =~ /MD5/);
		$weakciphers{$code}++ if ($string =~ /RC2/);
		$weakciphers{$code}++ if ($string =~ /RC4/);
		$weakciphers{$code}++ if ($string =~ /IDEA/);
		$weakciphers{$code}++ if ($string =~ /_DES/);

		# enabled ciphers
		$enabledciphers{$code}++ if (defined($enabledciphers{$string}));
	}
	else {
		#print "Could not parse cipher mapping line: $_";
	}
}


# Parse the tshark dump on STDIN
my ($types, $recver, $hsver, $ciphers, $srcip, $dstip, $tmp, $type, $cipher);
my %clientciphers = ();
my %ciphersbyip = ();
my %serverciphers = ();
my %weakclients = ();
while (<STDIN>) {
	# Trying to match input data like:
	# 1       0x0301  0x0301  0x000a,0x0007,0x0005,0x0004,0x0009,0x0008,0x0006,0x0003         128.193.4.159   128.193.4.137
	# 2,11,14 0x0301  0x0301  0x0005          128.193.4.137   128.193.4.159

	#       types     recver        hsver    ciphersuite   cipherspec    srcip                 dstip
	if ( /^([\d,]+)\t([x\da-f,]+)\t(0x\d+)\t([x\da-f,]*)\t([x\da-f,]*)\t(\d+\.\d+\.\d+\.\d+)\t(\d+\.\d+\.\d+\.\d+)$/ ) {
		$types = $1;
		$recver = $2;
		$hsver = $3;
		$ciphersuite = $4;
		$cipherspec = $5;
		$srcip = $6;
		$dstip = $7;

		# We only care if the type is 1 (ClientHello) or 2 (ServerHello), not the other types
		foreach $tmp (split(/,/, $types)) {
			$type = 1 if ($tmp == 1);
			$type = 2 if ($tmp == 2);
		}
		if ($type != 1 and $type != 2) {
			print "SSL Handshake Type was not 1 (ClientHello) or 2 (ServerHello)\n";
			next;
		}

		if ($ciphersuite ne "") {
			$ciphers = $ciphersuite;
		}
		else {
			# Use cipherspec instead
			$ciphers = "";
			foreach $cipher (split(/,/, $cipherspec)) {
				# remove the old SSL2 ciphers
				next if ($cipher eq "0x010080"
				      or $cipher eq "0x020080"
				      or $cipher eq "0x030080"
				      or $cipher eq "0x040080"
				      or $cipher eq "0x050080"
				      or $cipher eq "0x060040"
				      or $cipher eq "0x0700c0"
				      or $cipher eq "0x080080");
				# turn them into 2-byte hex values
				if ($cipher =~ /^0x\d\d(\d\d\d\d)$/) {
					$ciphers .= "0x" . $1 . ",";
				}
			}
			chop($ciphers);
		}

		foreach $cipher (split(/,/, $ciphers)) {
			if ($type == 1) {
				$ciphersbyip{$srcip}{$cipher}++;
				$clientciphers{$cipher}++;
			}
			elsif ($type == 2) {
				$serverciphers{$cipher}++;
				# is this a weak cipher we selected?
				if (defined($weakciphers{$cipher})) {
					$weakclients{$dstip}{$cipher}++;
				}
			}
			else {
				print "Unexpected SSL Handshake Type = $type\n";
			}
		}
	}
	else {
		print "Error matching line: $_";
	}
}


# Print some usage stats
print "Client ciphers offered:\n";
foreach $cipher (sort keys %clientciphers) {
	if (defined($ciphermap{$cipher})) {
		print "  $ciphermap{$cipher} ($cipher)\n";
	}
	else {
		print "  $cipher\n";
	}
}

print "Ciphers selected:\n";
foreach $cipher (sort keys %serverciphers) {
	if (defined($ciphermap{$cipher})) {
		print "  $ciphermap{$cipher} ($cipher)\n";
	}
	else {
		print "  $cipher\n";
	}
}

print "Clients using weak ciphers:\n";
foreach $dstip (sort keys %weakclients) {
	print "\n  $dstip:\n";
	foreach $cipher (sort keys %{$weakclients{$dstip}}) {
		print "    $ciphermap{$cipher} ($cipher) ";
	}
	print "\n";
	print "    Strong Ciphers Offered: ";
	foreach $cipher (sort keys %{$ciphersbyip{$dstip}}) {
		next if (defined($weakciphers{$cipher}));
		print "$cipher ";
	}
	print "\n";
}

print "Clients that don't support any of our enabled ciphers:\n";
foreach $srcip (sort keys %ciphersbyip) {
	$found = 0;
	foreach $cipher (keys %{$ciphersbyip{$srcip}}) {
		$found = 1 if (defined($enabledciphers{$cipher}));
	}
	print "$srcip\n" if ($found == 0);
}

tls-parameters-4.csv

Value,Description,DTLS-OK,Recommended,Reference
"0x00,0x00",TLS_NULL_WITH_NULL_NULL,Y,N,[RFC5246]
"0x00,0x01",TLS_RSA_WITH_NULL_MD5,Y,N,[RFC5246]
"0x00,0x02",TLS_RSA_WITH_NULL_SHA,Y,N,[RFC5246]
"0x00,0x03",TLS_RSA_EXPORT_WITH_RC4_40_MD5,N,N,[RFC4346][RFC6347]
"0x00,0x04",TLS_RSA_WITH_RC4_128_MD5,N,N,[RFC5246][RFC6347]
"0x00,0x05",TLS_RSA_WITH_RC4_128_SHA,N,N,[RFC5246][RFC6347]
"0x00,0x06",TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,Y,N,[RFC4346]
"0x00,0x07",TLS_RSA_WITH_IDEA_CBC_SHA,Y,N,[RFC5469]
"0x00,0x08",TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,N,[RFC4346]
"0x00,0x09",TLS_RSA_WITH_DES_CBC_SHA,Y,N,[RFC5469]
"0x00,0x0A",TLS_RSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5246]
"0x00,0x0B",TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,Y,N,[RFC4346]
"0x00,0x0C",TLS_DH_DSS_WITH_DES_CBC_SHA,Y,N,[RFC5469]
"0x00,0x0D",TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5246]
"0x00,0x0E",TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,N,[RFC4346]
"0x00,0x0F",TLS_DH_RSA_WITH_DES_CBC_SHA,Y,N,[RFC5469]
"0x00,0x10",TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5246]
"0x00,0x11",TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,Y,N,[RFC4346]
"0x00,0x12",TLS_DHE_DSS_WITH_DES_CBC_SHA,Y,N,[RFC5469]
"0x00,0x13",TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5246]
"0x00,0x14",TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,N,[RFC4346]
"0x00,0x15",TLS_DHE_RSA_WITH_DES_CBC_SHA,Y,N,[RFC5469]
"0x00,0x16",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5246]
"0x00,0x17",TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,N,N,[RFC4346][RFC6347]
"0x00,0x18",TLS_DH_anon_WITH_RC4_128_MD5,N,N,[RFC5246][RFC6347]
"0x00,0x19",TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,Y,N,[RFC4346]
"0x00,0x1A",TLS_DH_anon_WITH_DES_CBC_SHA,Y,N,[RFC5469]
"0x00,0x1B",TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5246]
"0x00,0x1C-1D",Reserved to avoid conflicts with SSLv3,,,[RFC5246]
"0x00,0x1E",TLS_KRB5_WITH_DES_CBC_SHA,Y,N,[RFC2712]
"0x00,0x1F",TLS_KRB5_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC2712]
"0x00,0x20",TLS_KRB5_WITH_RC4_128_SHA,N,N,[RFC2712][RFC6347]
"0x00,0x21",TLS_KRB5_WITH_IDEA_CBC_SHA,Y,N,[RFC2712]
"0x00,0x22",TLS_KRB5_WITH_DES_CBC_MD5,Y,N,[RFC2712]
"0x00,0x23",TLS_KRB5_WITH_3DES_EDE_CBC_MD5,Y,N,[RFC2712]
"0x00,0x24",TLS_KRB5_WITH_RC4_128_MD5,N,N,[RFC2712][RFC6347]
"0x00,0x25",TLS_KRB5_WITH_IDEA_CBC_MD5,Y,N,[RFC2712]
"0x00,0x26",TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,Y,N,[RFC2712]
"0x00,0x27",TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,Y,N,[RFC2712]
"0x00,0x28",TLS_KRB5_EXPORT_WITH_RC4_40_SHA,N,N,[RFC2712][RFC6347]
"0x00,0x29",TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,Y,N,[RFC2712]
"0x00,0x2A",TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,Y,N,[RFC2712]
"0x00,0x2B",TLS_KRB5_EXPORT_WITH_RC4_40_MD5,N,N,[RFC2712][RFC6347]
"0x00,0x2C",TLS_PSK_WITH_NULL_SHA,Y,N,[RFC4785]
"0x00,0x2D",TLS_DHE_PSK_WITH_NULL_SHA,Y,N,[RFC4785]
"0x00,0x2E",TLS_RSA_PSK_WITH_NULL_SHA,Y,N,[RFC4785]
"0x00,0x2F",TLS_RSA_WITH_AES_128_CBC_SHA,Y,N,[RFC5246]
"0x00,0x30",TLS_DH_DSS_WITH_AES_128_CBC_SHA,Y,N,[RFC5246]
"0x00,0x31",TLS_DH_RSA_WITH_AES_128_CBC_SHA,Y,N,[RFC5246]
"0x00,0x32",TLS_DHE_DSS_WITH_AES_128_CBC_SHA,Y,N,[RFC5246]
"0x00,0x33",TLS_DHE_RSA_WITH_AES_128_CBC_SHA,Y,N,[RFC5246]
"0x00,0x34",TLS_DH_anon_WITH_AES_128_CBC_SHA,Y,N,[RFC5246]
"0x00,0x35",TLS_RSA_WITH_AES_256_CBC_SHA,Y,N,[RFC5246]
"0x00,0x36",TLS_DH_DSS_WITH_AES_256_CBC_SHA,Y,N,[RFC5246]
"0x00,0x37",TLS_DH_RSA_WITH_AES_256_CBC_SHA,Y,N,[RFC5246]
"0x00,0x38",TLS_DHE_DSS_WITH_AES_256_CBC_SHA,Y,N,[RFC5246]
"0x00,0x39",TLS_DHE_RSA_WITH_AES_256_CBC_SHA,Y,N,[RFC5246]
"0x00,0x3A",TLS_DH_anon_WITH_AES_256_CBC_SHA,Y,N,[RFC5246]
"0x00,0x3B",TLS_RSA_WITH_NULL_SHA256,Y,N,[RFC5246]
"0x00,0x3C",TLS_RSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x3D",TLS_RSA_WITH_AES_256_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x3E",TLS_DH_DSS_WITH_AES_128_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x3F",TLS_DH_RSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x40",TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x41",TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,N,[RFC5932]
"0x00,0x42",TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,Y,N,[RFC5932]
"0x00,0x43",TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,N,[RFC5932]
"0x00,0x44",TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,Y,N,[RFC5932]
"0x00,0x45",TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,N,[RFC5932]
"0x00,0x46",TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,Y,N,[RFC5932]
"0x00,0x47-4F","Reserved to avoid conflicts with         
deployed implementations",,,[Pasi_Eronen]
"0x00,0x50-58",Reserved to avoid conflicts,,,"[Pasi Eronen, <pasi.eronen&nokia.com>, 2008-04-04.  2008-04-04]"
"0x00,0x59-5C","Reserved to avoid conflicts with         
deployed implementations",,,[Pasi_Eronen]
"0x00,0x5D-5F",Unassigned,,,
"0x00,0x60-66","Reserved to avoid conflicts with
widely deployed implementations",,,[Pasi_Eronen]
"0x00,0x67",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x68",TLS_DH_DSS_WITH_AES_256_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x69",TLS_DH_RSA_WITH_AES_256_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x6A",TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x6B",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x6C",TLS_DH_anon_WITH_AES_128_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x6D",TLS_DH_anon_WITH_AES_256_CBC_SHA256,Y,N,[RFC5246]
"0x00,0x6E-83",Unassigned,,,
"0x00,0x84",TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,N,[RFC5932]
"0x00,0x85",TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,Y,N,[RFC5932]
"0x00,0x86",TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,N,[RFC5932]
"0x00,0x87",TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,Y,N,[RFC5932]
"0x00,0x88",TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,N,[RFC5932]
"0x00,0x89",TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,Y,N,[RFC5932]
"0x00,0x8A",TLS_PSK_WITH_RC4_128_SHA,N,N,[RFC4279][RFC6347]
"0x00,0x8B",TLS_PSK_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC4279]
"0x00,0x8C",TLS_PSK_WITH_AES_128_CBC_SHA,Y,N,[RFC4279]
"0x00,0x8D",TLS_PSK_WITH_AES_256_CBC_SHA,Y,N,[RFC4279]
"0x00,0x8E",TLS_DHE_PSK_WITH_RC4_128_SHA,N,N,[RFC4279][RFC6347]
"0x00,0x8F",TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC4279]
"0x00,0x90",TLS_DHE_PSK_WITH_AES_128_CBC_SHA,Y,N,[RFC4279]
"0x00,0x91",TLS_DHE_PSK_WITH_AES_256_CBC_SHA,Y,N,[RFC4279]
"0x00,0x92",TLS_RSA_PSK_WITH_RC4_128_SHA,N,N,[RFC4279][RFC6347]
"0x00,0x93",TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC4279]
"0x00,0x94",TLS_RSA_PSK_WITH_AES_128_CBC_SHA,Y,N,[RFC4279]
"0x00,0x95",TLS_RSA_PSK_WITH_AES_256_CBC_SHA,Y,N,[RFC4279]
"0x00,0x96",TLS_RSA_WITH_SEED_CBC_SHA,Y,N,[RFC4162]
"0x00,0x97",TLS_DH_DSS_WITH_SEED_CBC_SHA,Y,N,[RFC4162]
"0x00,0x98",TLS_DH_RSA_WITH_SEED_CBC_SHA,Y,N,[RFC4162]
"0x00,0x99",TLS_DHE_DSS_WITH_SEED_CBC_SHA,Y,N,[RFC4162]
"0x00,0x9A",TLS_DHE_RSA_WITH_SEED_CBC_SHA,Y,N,[RFC4162]
"0x00,0x9B",TLS_DH_anon_WITH_SEED_CBC_SHA,Y,N,[RFC4162]
"0x00,0x9C",TLS_RSA_WITH_AES_128_GCM_SHA256,Y,N,[RFC5288]
"0x00,0x9D",TLS_RSA_WITH_AES_256_GCM_SHA384,Y,N,[RFC5288]
"0x00,0x9E",TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,Y,Y,[RFC5288]
"0x00,0x9F",TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,Y,Y,[RFC5288]
"0x00,0xA0",TLS_DH_RSA_WITH_AES_128_GCM_SHA256,Y,N,[RFC5288]
"0x00,0xA1",TLS_DH_RSA_WITH_AES_256_GCM_SHA384,Y,N,[RFC5288]
"0x00,0xA2",TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,Y,N,[RFC5288]
"0x00,0xA3",TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,Y,N,[RFC5288]
"0x00,0xA4",TLS_DH_DSS_WITH_AES_128_GCM_SHA256,Y,N,[RFC5288]
"0x00,0xA5",TLS_DH_DSS_WITH_AES_256_GCM_SHA384,Y,N,[RFC5288]
"0x00,0xA6",TLS_DH_anon_WITH_AES_128_GCM_SHA256,Y,N,[RFC5288]
"0x00,0xA7",TLS_DH_anon_WITH_AES_256_GCM_SHA384,Y,N,[RFC5288]
"0x00,0xA8",TLS_PSK_WITH_AES_128_GCM_SHA256,Y,N,[RFC5487]
"0x00,0xA9",TLS_PSK_WITH_AES_256_GCM_SHA384,Y,N,[RFC5487]
"0x00,0xAA",TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,Y,Y,[RFC5487]
"0x00,0xAB",TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,Y,Y,[RFC5487]
"0x00,0xAC",TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,Y,N,[RFC5487]
"0x00,0xAD",TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,Y,N,[RFC5487]
"0x00,0xAE",TLS_PSK_WITH_AES_128_CBC_SHA256,Y,N,[RFC5487]
"0x00,0xAF",TLS_PSK_WITH_AES_256_CBC_SHA384,Y,N,[RFC5487]
"0x00,0xB0",TLS_PSK_WITH_NULL_SHA256,Y,N,[RFC5487]
"0x00,0xB1",TLS_PSK_WITH_NULL_SHA384,Y,N,[RFC5487]
"0x00,0xB2",TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,Y,N,[RFC5487]
"0x00,0xB3",TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,Y,N,[RFC5487]
"0x00,0xB4",TLS_DHE_PSK_WITH_NULL_SHA256,Y,N,[RFC5487]
"0x00,0xB5",TLS_DHE_PSK_WITH_NULL_SHA384,Y,N,[RFC5487]
"0x00,0xB6",TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,Y,N,[RFC5487]
"0x00,0xB7",TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,Y,N,[RFC5487]
"0x00,0xB8",TLS_RSA_PSK_WITH_NULL_SHA256,Y,N,[RFC5487]
"0x00,0xB9",TLS_RSA_PSK_WITH_NULL_SHA384,Y,N,[RFC5487]
"0x00,0xBA",TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xBB",TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xBC",TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xBD",TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xBE",TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xBF",TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC0",TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC1",TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC2",TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC3",TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC4",TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC5",TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,Y,N,[RFC5932]
"0x00,0xC6-FE",Unassigned,,,
"0x00,0xFF",TLS_EMPTY_RENEGOTIATION_INFO_SCSV,Y,N,[RFC5746]
"0x01-12,*",Unassigned,,,
"0x13,0x00",Unassigned,,,
"0x13,0x01",TLS_AES_128_GCM_SHA256,Y,Y,[RFC8446]
"0x13,0x02",TLS_AES_256_GCM_SHA384,Y,Y,[RFC8446]
"0x13,0x03",TLS_CHACHA20_POLY1305_SHA256,Y,Y,[RFC8446]
"0x13,0x04",TLS_AES_128_CCM_SHA256,Y,Y,[RFC8446]
"0x13,0x05",TLS_AES_128_CCM_8_SHA256,Y,N,[RFC8446][IESG Action 2018-08-16]
"0x13,0x06-0xFF",Unassigned,,,
"0x14-55,*",Unassigned,,,
"0x56,0x00",TLS_FALLBACK_SCSV,Y,N,[RFC7507]
"0x56,0x01-0xC0,0x00",Unassigned,,,
"0xC0,0x01",TLS_ECDH_ECDSA_WITH_NULL_SHA,Y,N,[RFC8422]
"0xC0,0x02",TLS_ECDH_ECDSA_WITH_RC4_128_SHA,N,N,[RFC8422][RFC6347]
"0xC0,0x03",TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x04",TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x05",TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x06",TLS_ECDHE_ECDSA_WITH_NULL_SHA,Y,N,[RFC8422]
"0xC0,0x07",TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,N,N,[RFC8422][RFC6347]
"0xC0,0x08",TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x09",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x0A",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x0B",TLS_ECDH_RSA_WITH_NULL_SHA,Y,N,[RFC8422]
"0xC0,0x0C",TLS_ECDH_RSA_WITH_RC4_128_SHA,N,N,[RFC8422][RFC6347]
"0xC0,0x0D",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x0E",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x0F",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x10",TLS_ECDHE_RSA_WITH_NULL_SHA,Y,N,[RFC8422]
"0xC0,0x11",TLS_ECDHE_RSA_WITH_RC4_128_SHA,N,N,[RFC8422][RFC6347]
"0xC0,0x12",TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x13",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x14",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x15",TLS_ECDH_anon_WITH_NULL_SHA,Y,N,[RFC8422]
"0xC0,0x16",TLS_ECDH_anon_WITH_RC4_128_SHA,N,N,[RFC8422][RFC6347]
"0xC0,0x17",TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x18",TLS_ECDH_anon_WITH_AES_128_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x19",TLS_ECDH_anon_WITH_AES_256_CBC_SHA,Y,N,[RFC8422]
"0xC0,0x1A",TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x1B",TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x1C",TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x1D",TLS_SRP_SHA_WITH_AES_128_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x1E",TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x1F",TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x20",TLS_SRP_SHA_WITH_AES_256_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x21",TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x22",TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,Y,N,[RFC5054]
"0xC0,0x23",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5289]
"0xC0,0x24",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,Y,N,[RFC5289]
"0xC0,0x25",TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5289]
"0xC0,0x26",TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,Y,N,[RFC5289]
"0xC0,0x27",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5289]
"0xC0,0x28",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,Y,N,[RFC5289]
"0xC0,0x29",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,Y,N,[RFC5289]
"0xC0,0x2A",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,Y,N,[RFC5289]
"0xC0,0x2B",TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,Y,Y,[RFC5289]
"0xC0,0x2C",TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,Y,Y,[RFC5289]
"0xC0,0x2D",TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,Y,N,[RFC5289]
"0xC0,0x2E",TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,Y,N,[RFC5289]
"0xC0,0x2F",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,Y,[RFC5289]
"0xC0,0x30",TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,Y,Y,[RFC5289]
"0xC0,0x31",TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,Y,N,[RFC5289]
"0xC0,0x32",TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,Y,N,[RFC5289]
"0xC0,0x33",TLS_ECDHE_PSK_WITH_RC4_128_SHA,N,N,[RFC5489][RFC6347]
"0xC0,0x34",TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,Y,N,[RFC5489]
"0xC0,0x35",TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,Y,N,[RFC5489]
"0xC0,0x36",TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,Y,N,[RFC5489]
"0xC0,0x37",TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,Y,N,[RFC5489]
"0xC0,0x38",TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,Y,N,[RFC5489]
"0xC0,0x39",TLS_ECDHE_PSK_WITH_NULL_SHA,Y,N,[RFC5489]
"0xC0,0x3A",TLS_ECDHE_PSK_WITH_NULL_SHA256,Y,N,[RFC5489]
"0xC0,0x3B",TLS_ECDHE_PSK_WITH_NULL_SHA384,Y,N,[RFC5489]
"0xC0,0x3C",TLS_RSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x3D",TLS_RSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x3E",TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x3F",TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x40",TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x41",TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x42",TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x43",TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x44",TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x45",TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x46",TLS_DH_anon_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x47",TLS_DH_anon_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x48",TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x49",TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x4A",TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x4B",TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x4C",TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x4D",TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x4E",TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x4F",TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x50",TLS_RSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x51",TLS_RSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x52",TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x53",TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x54",TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x55",TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x56",TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x57",TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x58",TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x59",TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x5A",TLS_DH_anon_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x5B",TLS_DH_anon_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x5C",TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x5D",TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x5E",TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x5F",TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x60",TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x61",TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x62",TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x63",TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x64",TLS_PSK_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x65",TLS_PSK_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x66",TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x67",TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x68",TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x69",TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x6A",TLS_PSK_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x6B",TLS_PSK_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x6C",TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x6D",TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x6E",TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,Y,N,[RFC6209]
"0xC0,0x6F",TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,Y,N,[RFC6209]
"0xC0,0x70",TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,Y,N,[RFC6209]
"0xC0,0x71",TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,Y,N,[RFC6209]
"0xC0,0x72",TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x73",TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x74",TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x75",TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x76",TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x77",TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x78",TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x79",TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x7A",TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x7B",TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x7C",TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x7D",TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x7E",TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x7F",TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x80",TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x81",TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x82",TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x83",TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x84",TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x85",TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x86",TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x87",TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x88",TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x89",TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x8A",TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x8B",TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x8C",TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x8D",TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x8E",TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x8F",TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x90",TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x91",TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x92",TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,N,[RFC6367]
"0xC0,0x93",TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,N,[RFC6367]
"0xC0,0x94",TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x95",TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x96",TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x97",TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x98",TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x99",TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x9A",TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,N,[RFC6367]
"0xC0,0x9B",TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,N,[RFC6367]
"0xC0,0x9C",TLS_RSA_WITH_AES_128_CCM,Y,N,[RFC6655]
"0xC0,0x9D",TLS_RSA_WITH_AES_256_CCM,Y,N,[RFC6655]
"0xC0,0x9E",TLS_DHE_RSA_WITH_AES_128_CCM,Y,Y,[RFC6655]
"0xC0,0x9F",TLS_DHE_RSA_WITH_AES_256_CCM,Y,Y,[RFC6655]
"0xC0,0xA0",TLS_RSA_WITH_AES_128_CCM_8,Y,N,[RFC6655]
"0xC0,0xA1",TLS_RSA_WITH_AES_256_CCM_8,Y,N,[RFC6655]
"0xC0,0xA2",TLS_DHE_RSA_WITH_AES_128_CCM_8,Y,N,[RFC6655]
"0xC0,0xA3",TLS_DHE_RSA_WITH_AES_256_CCM_8,N,N,[RFC6655]
"0xC0,0xA4",TLS_PSK_WITH_AES_128_CCM,Y,N,[RFC6655]
"0xC0,0xA5",TLS_PSK_WITH_AES_256_CCM,Y,N,[RFC6655]
"0xC0,0xA6",TLS_DHE_PSK_WITH_AES_128_CCM,Y,Y,[RFC6655]
"0xC0,0xA7",TLS_DHE_PSK_WITH_AES_256_CCM,Y,Y,[RFC6655]
"0xC0,0xA8",TLS_PSK_WITH_AES_128_CCM_8,Y,N,[RFC6655]
"0xC0,0xA9",TLS_PSK_WITH_AES_256_CCM_8,Y,N,[RFC6655]
"0xC0,0xAA",TLS_PSK_DHE_WITH_AES_128_CCM_8,Y,N,[RFC6655]
"0xC0,0xAB",TLS_PSK_DHE_WITH_AES_256_CCM_8,Y,N,[RFC6655]
"0xC0,0xAC",TLS_ECDHE_ECDSA_WITH_AES_128_CCM,Y,N,[RFC7251]
"0xC0,0xAD",TLS_ECDHE_ECDSA_WITH_AES_256_CCM,Y,N,[RFC7251]
"0xC0,0xAE",TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,Y,N,[RFC7251]
"0xC0,0xAF",TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,Y,N,[RFC7251]
"0xC0,0xB0",TLS_ECCPWD_WITH_AES_128_GCM_SHA256,Y,N,[RFC-harkins-tls-dragonfly-03]
"0xC0,0xB1",TLS_ECCPWD_WITH_AES_256_GCM_SHA384,Y,N,[RFC-harkins-tls-dragonfly-03]
"0xC0,0xB2",TLS_ECCPWD_WITH_AES_128_CCM_SHA256,Y,N,[RFC-harkins-tls-dragonfly-03]
"0xC0,0xB3",TLS_ECCPWD_WITH_AES_256_CCM_SHA384,Y,N,[RFC-harkins-tls-dragonfly-03]
"0xC0,0xB4-FF",Unassigned,,,
"0xC1-CB,*",Unassigned,,,
"0xCC,0x00-A7",Unassigned,,,
"0xCC,0xA8",TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,Y,Y,[RFC7905]
"0xCC,0xA9",TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,Y,Y,[RFC7905]
"0xCC,0xAA",TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,Y,Y,[RFC7905]
"0xCC,0xAB",TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,N,[RFC7905]
"0xCC,0xAC",TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,Y,[RFC7905]
"0xCC,0xAD",TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,Y,[RFC7905]
"0xCC,0xAE",TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,N,[RFC7905]
"0xCC,0xAF-FF",Unassigned,,,
"0xCD-CF,*",Unassigned,,,
"0xD0,0x00",Unassigned,,,
"0xD0,0x01",TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,Y,Y,[RFC8442]
"0xD0,0x02",TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,Y,Y,[RFC8442]
"0xD0,0x03",TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256,Y,N,[RFC8442]
"0xD0,0x04",Unassigned,,,
"0xD0,0x05",TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256,Y,Y,[RFC8442]
"0xD0,0x06-FF",Unassigned,,,
"0xD1-FD,*",Unassigned,,,
"0xFE,0x00-FD",Unassigned,,,
"0xFE,0xFE-FF","Reserved to avoid conflicts with
widely deployed implementations",,,[Pasi_Eronen]
"0xFF,0x00-FF",Reserved for Private Use,,,[RFC8446]

Dueling Thawte Premium Server CA certificates

Why are there two different Thawte Premium Server CA certificates out there?
Thawte distributes one at their root certificates web site:

Serial Number: 36 12 22 96 c5 e3 38 a5 20 a1 d2 5f 4c d7 09 54
Valid From: Wednesday, July 31, 1996
Valid to:  Friday, January 01, 2021
Certificate SHA1 Fingerprint: e0 ab 05 94 20 72 54 93 05 60 62 02 36 70 f7 cd 2e fc 66 66
Key Size: RSA(1024 Bits)

but there is a different version distributed with Redhat, Debian, Firefox, and OS X:

Serial Number: 1 (0x1)
Validity
     Not Before: AugĀ  1 00:00:00 1996 GMT
     Not After : Dec 31 23:59:59 2020 GMT
SHA1 Fingerprint=62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A

If I build a certificate chain for an SSL web server using the one from Thawte’s web site, OS X says the site uses an invalid certificate.

*** Update ***

There ARE 2 different Thawte Premium Server CA certificates:

MD5-signed
SHA1-signed

We’ll see if they tell me why they did that…

*** Update 2 ***

Thawte was required by the browser vendors to sign their CA certs with SHA1 instead of MD5. See here: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221