-
Notifications
You must be signed in to change notification settings - Fork 9
IE Supported Cipher Suites
Summary: SSL cipher suite support on Internet Explorer depends both on the version of IE and on the version of the operating system. Internet Explorer 8 is crippled if it runs on Windows XP.
AES and ECDHE based suites are available if IE >= 7 AND OS >= Windows Vista. AES does not exist with IE8 on WinXP.
There are only three "strong" cipher suites that can be used to ensure compatibility with Windows XP:
- DES-CBC3-SHA (required)
- RC4-SHA (recommend)
- RC4-MD5 (reject)
DES-CBC3-SHA unfortunately allows the BEAST attack and is very slow. However some XP machines are configured to be "FIPS Compliant" and ONLY this cipher will be used. It's not clear how wide-spread the configuration of "Windows XP + FIPS + Internet Explorer" is, but for maximum compatibility this cipher suite is required.
RC4-SHA In general RC4 is looking fragile, but in the context of SSL is still considered secure (for now anyways). It eliminates the BEAST attack and is ~ 5x faster than DES-CBC3-SHA.
RC4-MD5 This uses MD5 which is more or less obsolete cryptographically. Also, it appears that if RC4-MD5 is accepted, then RC4-SHA1 is also accepted. Therefore, this cipher can be rejected.
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
AES128-SHA AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA EDH-DSS-DES-CBC3-SHA RC4-MD5
Again, IE uses the OS's crypto suite. IE9 minimum requirement is Vista, so
http://msdn.microsoft.com/en-us/library/ff468651%28VS.85%29.aspx
According to http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx IE7's supported cipher suites are:
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA
IE8 is the last version of IE to run on Windows XP. It appears to use the OS's crypto libraries
http://stackoverflow.com/questions/97421/does-ie6-support-aes-256-bit-encryption
E7 and IE8 support AES but only on Vista or better. I've confirmed that they don't on Windows XP. Best IE8 on XP does is RC4 or 3DES.
http://support.microsoft.com/kb/245030
For SSL v3:
SSL_RSA_EXPORT_WITH_RC4_40_MD5 { 0x00,0x03 } SSL_RSA_WITH_RC4_128_MD5 { 0x00,0x04 } SSL_RSA_WITH_RC4_128_SHA { 0x00,0x05 } SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 { 0x00,0x06 } SSL_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } SSL_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA { 0x00,0x62 } SSL_RSA_EXPORT1024_WITH_RC4_56_SHA { 0x00,0x64 }
For TLS 1.0:
TLS_RSA_EXPORT_WITH_RC4_40_MD5 { 0x00,0x03 } TLS_RSA_WITH_RC4_128_MD5 { 0x00,0x04 } TLS_RSA_WITH_RC4_128_SHA { 0x00,0x05 } TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 { 0x00,0x06 } TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA { 0x00,0x62 } TLS_RSA_EXPORT1024_WITH_RC4_56_SHA { 0x00,0x64 }