Product Documentation

Ciphers Supported by the NetScaler Appliance

Feb 27, 2018

Your NetScaler appliance ships with a predefined set of cipher groups. To use ciphers that are not part of the DEFAULT cipher group, you have to explicitly bind them to an SSL virtual server. You can also create a user-defined cipher group to bind to the SSL virtual server. For more information about creating a user-defined cipher group, see Configuring User-Defined Cipher Groups on the NetScaler Appliance.

To see the complete list of ciphers supported on your appliance, at the NetScaler CLI, type: show ciphers

The following tables lists the ciphers that are currently supported by NetScaler appliances.

 

Cipher Suite

Software Releases Supported

Protocol

Key Exchange Algorithm

Authentication Algorithm

Encryption Algorithm (Key Size)

Message Authentication Code (MAC) Algorithm

Hex Code

Wireshark Ciphersuite Name

TLS1-AES-256-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

RSA

RSA

AES(256)

SHA1

0x0035

TLS_RSA_WITH_AES_256_CBC_SHA

TLS1-AES-128-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

RSA

RSA

AES(128)

SHA1

0x002f

TLS_RSA_WITH_AES_128_CBC_SHA

TLS1.2-AES-256-SHA256

11.1, 12.0

TLSv1.2

RSA

RSA

AES(256)

SHA-256

0x003d

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS1.2-AES-128-SHA256

11.1, 12.0

TLSv1.2

RSA

RSA

AES(128)

SHA-256

0x003c

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS1.2-AES256-GCM-SHA384

11.1, 12.0

TLSv1.2

RSA

RSA

AES-GCM(256)

AEAD

0x009d

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS1.2-AES128-GCM-SHA256

11.1, 12.0

TLSv1.2

RSA

RSA

AES-GCM(128)

AEAD

0x009c

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS1-ECDHE-RSA-AES256-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

ECC-DHE

RSA

AES(256)

SHA1

0xc014

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS1-ECDHE-RSA-AES128-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

ECC-DHE

RSA

AES(128)

SHA1

0xc013

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS1.2-ECDHE-RSA-AES-256-SHA384

11.1, 12.0

TLSv1.2

ECC-DHE

RSA

AES(256)

SHA-384

0xc028

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS1.2-ECDHE-RSA-AES-128-SHA256

11.1, 12.0

TLSv1.2

ECC-DHE

RSA

AES(128)

SHA-256

0xc027

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

11.1, 12.0

TLSv1.2

ECC-DHE

RSA

AES-GCM(256)

AEAD

0xc030

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

11.1, 12.0

TLSv1.2

ECC-DHE

RSA

AES-GCM(128)

AEAD

0xc02f

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS1.2-DHE-RSA-AES-256-SHA256

11.1, 12.0

TLSv1.2

DH

RSA

AES(256)

SHA-256

0x006b

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS1.2-DHE-RSA-AES-128-SHA256

11.1, 12.0

TLSv1.2

DH

RSA

AES(128)

SHA-256

0x0067

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS1.2-DHE-RSA-AES256-GCM-SHA384

11.1, 12.0

TLSv1.2

DH

RSA

AES-GCM(256)

AEAD

0x009f

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS1.2-DHE-RSA-AES128-GCM-SHA256

11.1, 12.0

TLSv1.2

DH

RSA

AES-GCM(128)

AEAD

0x009e

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS1-DHE-RSA-AES-256-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

DH

RSA

AES(256)

SHA1

0x0039

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS1-DHE-RSA-AES-128-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

DH

RSA

AES(128)

SHA1

0x0033

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS1-DHE-DSS-AES-256-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

DH

DSS

AES(256)

SHA1

0x0038

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS1-DHE-DSS-AES-128-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

DH

DSS

AES(128)

SHA1

0x0032

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS1-ECDHE-RSA-DES-CBC3-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

ECC-DHE

RSA

3DES(168)

SHA1

0xc012

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

SSL3-EDH-RSA-DES-CBC3-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

DH

RSA

3DES(168)

SHA1

0x0016

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

SSL3-EDH-DSS-DES-CBC3-SHA

11.1, 12.0

SSLv3

TLSv1

DH

DSS

3DES(168)

SHA1

0x0013

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS1-ECDHE-RSA-RC4-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TSv1.2

ECC-DHE

RSA

RC4(128)

SHA1

0xc011

TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS1-DHE-DSS-RC4-SHA

11.1, 12.0

SSLv3

TLSv1

DH

DSS

RC4(128)

SHA1

0x0066

TLS_DHE_DSS_WITH_RC4_128_SHA

SSL3-DES-CBC3-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

RSA

RSA

3DES(168)

SHA1

0x000a

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

Cipher Suite

Software Releases Supported

Protocol

Key Exchange Algorithm

Authentication Algorithm

Encryption Algorithm (Key Size)

Message Authentication Code (MAC) Algorithm

Hex Code

Wireshark Ciphersuite Name

SSL3-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLv1.1

RSA

RSA

DES(56)

SHA1

0x0009

TLS_RSA_WITH_DES_CBC_SHA

TLS1-EXP1024-RC4-SHA

11.1, 12.0

TLSv1

RSA(1024)

RSA

RC4(56)

SHA1 Export

0x0064

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL3-EXP-RC4-MD5

11.1, 12.0

SSLv3

TLSv1

RSA(512)

RSA

RC4(40)

MD5 Export

0x0003

TLS_RSA_EXPORT_WITH_RC4_40_MD5

SSL3-EXP-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

RSA(512)

RSA

DES(40)

SHA1 Export

0x0008

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

SSL3-EXP-RC2-CBC-MD5

11.1, 12.0

SSLv3

TLSv1

RSA(512)

RSA

RC2(40)

MD5 Export

0x0006

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SSL2-RC4-MD5

11.1, 12.0

SSLv2

RSA

RSA

RC4(128)

MD5

0x0080

SSL2_RC4_128_WITH_MD5

SSL2-DES-CBC3-MD5

11.1, 12.0

SSLv2

RSA

RSA

3DES(168)

MD5

0x00c0

SSL2_DES_192_EDE3_CBC_WITH_MD5

SSL2-RC2-CBC-MD5

11.1, 12.0

SSLv2

RSA

RSA

RC2(128)

MD5

0x0080

SSL2_RC4_128_EXPORT40_WITH_MD5

SSL2-DES-CBC-MD5

11.1, 12.0

SSLv2

RSA

RSA

DES(56)

MD5

0x0040

SSL2_DES_64_CBC_WITH_MD5

SSL2-RC4-64-MD5

11.1, 12.0

SSLv2

RSA

RSA

RC4(64)

MD5

0x0080

SSL2_RC4_64_WITH_MD5

SSL2-EXP-RC4-MD5

11.1, 12.0

SSLv2

RSA(512)

RSA

RC4(40)

MD5 Export

0x0080

SSL2_RC4_128_EXPORT40_WITH_MD5

SSL3-EDH-DSS-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

DH

DSS

DES(56)

SHA1

0x0012

TLS_DHE_DSS_WITH_DES_CBC_SHA

TLS1-EXP1024-DHE-DSS-DES-CBC- SHA

11.1, 12.0

TLSv1

DH(1024)

DSS

DES(56)

SHA1 Export

0x0063

TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

TLS1-EXP1024-DHE-DSS-RC4- SHA

11.1, 12.0

TLSv1

DH(1024)

DSS

RC4(56)

SHA1 Export

0x0065

TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA

SSL3-EXP-EDH-DSS-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

DH(512)

DSS

DES(40)

SHA1 Export

0x0011

TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

SSL3-EDH-RSA-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

DH

RSA

DES(56)

SHA1

0x0015

TLS_DHE_RSA_WITH_DES_CBC_SHA

SSL3-EXP-EDH-RSA-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

DH(512)

RSA

DES(40)

DES(40)

0x0014

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS1-EXP1024-RC4-MD5

11.1, 12.0

TLSv1

RSA(1024)

RSA

RC4(56)

MD5 Export

0x0060

TLS_RSA_EXPORT1024_WITH_RC4_56_MD5

TLS1-EXP1024-RC2-CBC-MD5

11.1, 12.0

TLSv1

RSA(1024)

RSA

RC2(56)

MD5 Export

0x0061

TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5

SSL2-EXP-RC2-CBC-MD5

11.1, 12.0

SSLv2

RSA(512)

RSA

RC2(40)

MD5 Export

0x0080

SSL2_RC2_CBC_128_CBC_WITH_MD5

SSL3-ADH-RC4-MD5

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

DH

None

RC4(128)

MD5

0x0018

TLS_DH_anon_WITH_RC4_128_MD5

SSL3-ADH-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

DH

None

DES(56)

SHA1

0x001b

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

SSL3-ADH-DES-CBC3-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

DH

None

3DES(168)

SHA1

0x001a

TLS_DH_anon_WITH_DES_CBC_SHA

TLS1-ADH-AES-128-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

DH

None

AES(128)

SHA1

0x0034

TLS_DH_anon_WITH_AES_128_CBC_SHA

TLS1-ADH-AES-256-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

DH

None

AES(256)

SHA1

0x003a

TLS_DH_anon_WITH_AES_256_CBC_SHA

SSL3-EXP-ADH-RC4-MD5

11.1, 12.0

SSLv3

TLSv1

DH(512)

None

RC4(40)

MD5 Export

0x0017

TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

SSL3-EXP-ADH-DES-CBC-SHA

11.1, 12.0

SSLv3

TLSv1

DH(512)

None

DES(40)

SHA1 Export

0x0019

TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA

SSL3-RC4-SHA

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

RSA

RSA

RC4(128)

SHA1

0x0005

TLS_RSA_WITH_RC4_128

SSL3-RC4-MD5

11.1, 12.0

SSLv3

TLSv1

TLSv1.1

TLSv1.2

RSA

RSA

RC4(128)

MD5

0x0004

TLS_RSA_WITH_RC4_128



Cipher Suite

Software Releases Supported

Protocol

Key Exchange Algorithm

Authentication Algorithm

Encryption Algorithm (Key Size)

Message Authentication Code (MAC) Algorithm

Hex Code

Wireshark Ciphersuite Name

TLS1-ECDHE-ECDSA-AES256-SHA

11.1, 12.0

SSLv3

ECC-DHE

ECDSA

AES(256)

SHA1

0xc00a

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS1-ECDHE-ECDSA-AES128-SHA

11.1, 12.0

SSLv3

ECC-DHE

ECDSA

AES(128)

SHA1

0xc009

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS1.2-ECDHE-ECDSA-AES256-SHA384

11.1, 12.0

TLSv1.2

ECC-DHE

ECDSA

AES(256)

SHA-384

0xc024

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS1.2-ECDHE-ECDSA-AES128-SHA256

11.1, 12.0

TLSv1.2

ECC-DHE

ECDSA

AES(128)

SHA-256

0xc023

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384

11.1, 12.0

TLSv1.2

ECC-DHE

ECDSA

AES-GCM(256)

AEAD

0xc02c

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256

11.1, 12.0

TLSv1.2

ECC-DHE

ECDSA

AES-GCM(128)

AEAD

0xc02b

TLS_ECDHE_ECDSA_WITH_AES_1286_GCM_SHA256

TLS1-ECDHE-ECDSA-DES-CBC3-SHA

11.1, 12.0

 SSLv3

ECC-DHE

ECDSA

3DES(168)

SHA1

0xc008

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

TLS1-ECDHE-ECDSA-RC4-SHA

11.1, 12.0

SSLv3

ECC-DHE

ECDSA

RC4(128)

SHA1

0xc007

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

TLS1.2-DHE-RSA-CHACHA20-POLY1305

 

12.0

TLSv1.2

DH

RSA

CHACHA20/POLY1305(256)

AEAD

0xccaa

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS1.2-ECDHE-RSA-CHACHA20-POLY1305

12.0

TLSv1.2

ECC-DHE

RSA

CHACHA20/POLY1305(256)

AEAD

0xcca8

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 

SSL3-NULL-MD5

11.1, 12.0

SSLv3

RSA

RSA

None

MD5

0x0001

TLS_RSA_WITH_NULL_MD5

SSL3-NULL-SHA

11.1, 12.0

SSLv3

RSA

RSA

None

SHA1

0x0002

TLS_RSA_WITH_NULL_SHA

Note

  1. The following curves are supported for ECDHE key exchange algorithms:
    • ECDHE 521 curve
    • ECDHE 384 curve
    • ECDHE 256 curve
    • ECDHE 224 curve
      For more information about the ECDHE ciphers supported on a NetScaler appliance, see Configuring ECDHE Ciphers.
  2. AES-GCM/SHA2 ciphers are supported on both the front end and back end SSL entities on an MPX appliance. On an SDX appliance, an SSL chip must be assigned to the VPX instance for this support. AES-GCM/SHA2 ciphers are supported only on the front end SSL entities on a VPX appliance. 
  3. All ChaCha20-Poly1035 ciphers use a TLS pseudo random function (PSF) with the SHA-256 hash function.

Important

The following restriction applies to NetScaler release 11.1 and earlier:

The NetScaler VPX appliance supports only the SHA256 + RSA (Hex code 0x0401) signature hash algorithm in the certificate request message. If you use a different signature algorithm to sign the certificate verify message, the TLSv1.2 handshake fails during client authentication with the error message "Unsupported Certificate."