IE Supported Cipher Suites

Nick Galbreath edited this page Jul 25, 2013 · 4 revisions

Summary: SSL cipher suite support on Internet Explorer depends both on the version of IE and on the version of the operating system. Internet Explorer 8 is crippled if it runs on Windows XP.

AES and ECDHE based suites are available if IE >= 7 AND OS >= Windows Vista. AES does not exist with IE8 on WinXP.

There are only three "strong" cipher suites that can be used to ensure compatibility with Windows XP:

  1. DES-CBC3-SHA (required)
  2. RC4-SHA (recommend)
  3. RC4-MD5 (reject)

DES-CBC3-SHA unfortunately allows the BEAST attack and is very slow. However some XP machines are configured to be "FIPS Compliant" and ONLY this cipher will be used. It's not clear how wide-spread the configuration of "Windows XP + FIPS + Internet Explorer" is, but for maximum compatibility this cipher suite is required.

RC4-SHA In general RC4 is looking fragile, but in the context of SSL is still considered secure (for now anyways). It eliminates the BEAST attack and is ~ 5x faster than DES-CBC3-SHA.

RC4-MD5 This uses MD5 which is more or less obsolete cryptographically. Also, it appears that if RC4-MD5 is accepted, then RC4-SHA1 is also accepted. Therefore, this cipher can be rejected.

Internet Explorer 10

http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

AES128-SHA
AES256-SHA
RC4-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
EDH-DSS-DES-CBC3-SHA
RC4-MD5

Internet Explorer 7+8+9 Windows Vista and higher

Again, IE uses the OS's crypto suite. IE9 minimum requirement is Vista, so

http://msdn.microsoft.com/en-us/library/ff468651%28VS.85%29.aspx

According to http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx IE7's supported cipher suites are:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA

Internet Explorer 7, 8 Windows XP

IE8 is the last version of IE to run on Windows XP. It appears to use the OS's crypto libraries

http://stackoverflow.com/questions/97421/does-ie6-support-aes-256-bit-encryption

E7 and IE8 support AES but only on Vista or better. I've confirmed that they don't on Windows XP. Best IE8 on XP does is RC4 or 3DES.

NT 4.0

http://support.microsoft.com/kb/245030

For SSL v3:

SSL_RSA_EXPORT_WITH_RC4_40_MD5	{ 0x00,0x03 }
SSL_RSA_WITH_RC4_128_MD5	{ 0x00,0x04 }
SSL_RSA_WITH_RC4_128_SHA	{ 0x00,0x05 }
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	{ 0x00,0x06 }
SSL_RSA_WITH_DES_CBC_SHA	{ 0x00,0x09 }
SSL_RSA_WITH_3DES_EDE_CBC_SHA	{ 0x00,0x0A }
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA	{ 0x00,0x62 }
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA	{ 0x00,0x64 }

For TLS 1.0:

TLS_RSA_EXPORT_WITH_RC4_40_MD5	{ 0x00,0x03 }
TLS_RSA_WITH_RC4_128_MD5	{ 0x00,0x04 }
TLS_RSA_WITH_RC4_128_SHA	{ 0x00,0x05 }
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	{ 0x00,0x06 }
TLS_RSA_WITH_DES_CBC_SHA	{ 0x00,0x09 }
TLS_RSA_WITH_3DES_EDE_CBC_SHA	{ 0x00,0x0A }
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA	{ 0x00,0x62 }
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA	{ 0x00,0x64 }
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.