Where can I find a list of all assigned TLS extensions, groups, ciphers?

1.2k views Asked by At

I'm writing some code to parse TLS packets and ran across a weird issue. I don't think the official IANA pages are up to date seeing as I've found group, ciphers, and an extension that appears in traffic but not on these pages:

The above pages lack:

  • Extension 13172 (NPN)
  • Groups: 1035, 10794, 16696,23130, 31354, 35466, 51914
  • Ciphers: 102, 129, 52243, 52244, 57363, 65279, 65413

I have a feeling this discrepancy has to do with TLS 1.3, but I can't seem to find similar references for TLS 1.3 values (did IANA really overhaul all values in TLS 1.3?)

1

There are 1 answers

0
dave_thompson_085 On BEST ANSWER

(Extension) NPN was never standardized; ALPN was selected instead. Drafts should still be available.

(Groups) 10794=0x2a2a 23130=0x5a5a 31354=0x7a7a 35466=0x8a8a 51914=0xcaca are all 'GREASE' values and are in the registry pointing to RFC 8701. I don't know what 1035=0x40b and 16696=0x4138 could be.

(Ciphers) According to Java source and older OpenSSL source, 102=0x0066 was defined in the failed EXPORT1024 draft, although it (alone) isn't actually restricted to 1024/56 strength. https://github.com/tls-check/TLS-Check/blob/master/lib/Net/SSL/CipherSuites.pm agrees with this, and has 52243=0xCC13 and 52244=0xCC14 as CHACHA suites used by Chrome at some time in the past (before standardization) and 65279=0xFEFF as RSA_FIPS_WITH_3DES_EDE_CBC_SHA_alias; it doesn't have 57363=0xE013. https://tlsfingerprint.io/top/ciphers has CC13,CC14 as 'LEGACY' CHACHA, FEFF the same, and E013 as unknown, all occurring rarely in ClientHello (offer) and never in ServerHello (result). 65413=0xFF85 is in the private-use range and could be anything.

TLS1.3 has all new ciphersuites 0x13xx that are functionally incompatible with older ones as they no longer specify keyexchange and server authentication; this is explained in 8446. 1.3 uses the same groups as lower protocols after the modifications of 7919 and 8422 (and 8701). It also uses mostly the same hash+sigalg pairs, now called SignatureSchemes, but changes the ECDSA values to constrain the curve, and adds new values for RSA-PSS (which are nominally required to be backported to 1.2, although that will likely be done only in implementations that implement 1.3 also). 1.3 keeps the existing extensions though some are no longer used (e.g. renegotiation-info extended-master encrypt-then-mac and point-formats don't apply to 1.3 because of protocol changes, though they can still be in a 1.3 offer to allow the server to accept at 1.2 or lower) and adds several new ones.

PS: IANA didn't 'overhaul' anything. While it has primary control for some resources (like addresses), for standards-track specifications and standards-action or similar registries IANA only records and publishes decisions proposed by the relevant IETF Working Group and approved by IESG.