Supported Load Balancer Ciphers
View the ciphers supported by the Load Balancer service by TLS.
When available, the version 3 of a cipher suite is recommended instead of the version 1.
TLS 1.3
Certificate | Cipher Suite | Key Exchange | Encryption | Bits | Cipher Suite Name (IANA) |
---|---|---|---|---|---|
AES_128_GCM_SHA256 | 0x13, 0x01 | AES | AESGCM | 128 | TLS_AES_128_GCM_SHA256 |
AES_256_GCM_SHA384 | 0x13, 0x02 | AES | AESGCM | 256 | TLS_AES_256_GCM_SHA384 |
CHACHA20_POLY1305_SHA256 | 0x13, 0x03 | CHACHA20 | CHACHA20 POLY1305 | 256 | TLS_CHACHA20_POLY1305_SHA256 |
AES_128_CCM_SHA256 | 0x13, 0x04 | AES | AESCCM | 128 | TLS_AES_128_CCM_SHA256 |
AES_128_CCM_8_SHA256 | 0x13, 0x05 | AES | AESCCM | 128 | TLS_AES_128_CCM_8_SHA256 |
TLS 1.2
Certificate | Cipher Suite | Key Exchange | Encryption | Bits | Cipher Suite Name (IANA) |
---|---|---|---|---|---|
ECDHE-ECDSA-CHACHA20-POLY1305 | [0xCC, 0xA9] | ECDH | CHACHA20 POLY1305 | 256 | TLS_ECDHE_ECDSA_CHACHA20_POLY1305 |
ECDHE-RSA-CHACHA20-POLY1305 | [0xCC, 0xA8] | ECDH | CHACHA20 POLY1305 | 256 | TLS_ECDHE_RSA_CHACHA20_POLY1305 |
ECDHE-ECDSA-AES256-CCM | [0xC0, 0xAD] | ECDH | AESGCM | 256 | TLS_ECDHE_ECDSA_AES256_CCM |
ECDHE-ECDSA-AES128-CCM | [0xC0, 0xAC] | ECDH | AESGCM | 128 | TLS_ECDHE_ECDSA_AES128_CCM |
ECDHE-ECDSA-AES128-GCM-SHA256 | [0xc02b] | ECDH | AESGCM | 128 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 | [0xc02f] | ECDH | AESGCM | 128 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-SHA256 | [0xc023] | ECDH | AES | 128 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA256 | [0xc027] | ECDH | AES | 128 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES256-GCM-SHA384 | [0xc02c] | ECDH | AESGCM | 256 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-AES256-GCM-SHA384 | [0xc030] | ECDH | AESGCM | 256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-SHA384 | [0xc024] | ECDH | AES | 256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA384 | [0xc028] | ECDH | AES | 256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
AES128-GCM-SHA256 | [0x9c] | RSA | AESGCM | 128 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
AES128-SHA256 | [0x3c] | RSA | AES | 128 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
AES256-GCM-SHA384 | [0x9d] | RSA | AESGCM | 256 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES256-SHA256 | [0x3d] | RSA | AES | 256 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
DHE-RSA-AES256-GCM-SHA384 | [0x9f] | DH | AESGCM | 256 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-SHA256 | [0x6b] | DH | AES | 256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
DHE-RSA-AES128-GCM-SHA256 | [0x9e] | DH | AESGCM | 128 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
DHE-RSA-AES128-SHA256 | [0x67] | DH | AES | 128 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
DH-DSS-AES256-GCM-SHA384 | [0xa5] | DH/DSS | AESGCM | 256 | TLS_DH_DSS_WITH_AES_256_GCM_SHA384 |
DHE-DSS-AES256-GCM-SHA384 | [0xa3] | DH | AESGCM | 256 | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
DH-RSA-AES256-GCM-SHA384 | [0xa1] | DH/RSA | AESGCM | 256 | TLS_DH_RSA_WITH_AES_256_GCM_SHA384 |
DHE-DSS-AES256-SHA256 | [0x6a] | DH | AES | 256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
DH-RSA-AES256-SHA256 | [0x69] | DH/RSA | AES | 256 | TLS_DH_RSA_WITH_AES_256_CBC_SHA256 |
DH-DSS-AES256-SHA256 | [0x68] | DH/DSS | AES | 256 | TLS_DH_DSS_WITH_AES_256_CBC_SHA256 |
ECDH-RSA-AES256-GCM-SHA384 | [0xc032] | ECDH/RSA | AESGCM | 256 | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 |
ECDH-ECDSA-AES256-GCM-SHA384 | [0xc02e] | ECDH/ECDSA | AESGCM | 256 | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDH-RSA-AES256-SHA384 | [0xc02a] | ECDH/RSA | AES | 256 | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
ECDH-ECDSA-AES256-SHA384 | [0xc026] | ECDH/ECDSA | AES | 256 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
DH-DSS-AES128-GCM-SHA256 | [0xa4] | DH/DSS | AESGCM | 128 | TLS_DH_DSS_WITH_AES_128_GCM_SHA256 |
DHE-DSS-AES128-GCM-SHA256 | [0xa2] | DH | AESGCM | 128 | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
DH-RSA-AES128-GCM-SHA256 | [0xa0] | DH/RSA | AESGCM | 128 | TLS_DH_RSA_WITH_AES_128_GCM_SHA256 |
DHE-DSS-AES128-SHA256 | [0x40] | DH | AES | 128 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
DH-RSA-AES128-SHA256 | [0x3f] | DH/RSA | AES | 128 | TLS_DH_RSA_WITH_AES_128_CBC_SHA256 |
DH-DSS-AES128-SHA256 | [0x3e] | DH/DSS | AES | 128 | TLS_DH_DSS_WITH_AES_128_CBC_SHA256 |
ECDH-RSA-AES128-GCM-SHA256 | [0xc031] | ECDH/RSA | AESGCM | 128 | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 |
ECDH-ECDSA-AES128-GCM-SHA256 | [0xc02d] | ECDH/ECDSA | AESGCM | 128 | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDH-RSA-AES128-SHA256 | [0xc029] | ECDH/RSA | AES | 128 | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
ECDH-ECDSA-AES128-SHA256 | [0xc025] | ECDH/ECDSA | AES | 128 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS 1.0/1.1 Ciphers Supported by TLS 1.2
Certificate | Cipher Suite | Key Exchange | Encryption | Bits | Cipher Suite Name (IANA) |
---|---|---|---|---|---|
ECDHE-ECDSA-AES128-SHA | [0xc009] | ECDH | AES | 128 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES128-SHA | [0xc013] | ECDH | AES | 128 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES256-SHA | [0xc014] | ECDH | AES | 256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
ECDHE-ECDSA-AES256-SHA | [0xc00a] | ECDH | AES | 256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
AES128-SHA | [0x2f] | RSA | AES | 128 | TLS_RSA_WITH_AES_128_CBC_SHA |
AES256-SHA | [0x35] | RSA | AES | 256 | TLS_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES128-SHA | [0x33] | DH | AES | 128 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
DHE-RSA-CAMELLIA256-SHA | [0x88] | DH | Camellia | 256 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |
DHE-RSA-CAMELLIA128-SHA | [0x45] | DH | Camellia | 128 | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA |
DHE-DSS-CAMELLIA256-SHA | [0x87] | DH | Camellia | 256 | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA |
DHE-DSS-CAMELLIA128-SHA | [0x44] | DH | Camellia | 128 | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA |
DHE-RSA-SEED-SHA | [0x9a] | DH | SEED | 128 | TLS_DHE_RSA_WITH_SEED_CBC_SHA |
DHE-DSS-SEED-SHA | [0x99] | DH | SEED | 128 | TLS_DHE_DSS_WITH_SEED_CBC_SHA |
DH-RSA-SEED-SHA | [0x98] | DH/RSA | SEED | 128 | TLS_DH_RSA_WITH_SEED_CBC_SHA |
DH-DSS-SEED-SHA | [0x97] | DH/DSS | SEED | 128 | TLS_DH_DSS_WITH_SEED_CBC_SHA |
DHE-RSA-AES256-SHA | [0x39] | DH | AES | 256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-DSS-AES256-SHA | [0x38] | DH | AES | 256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
DH-RSA-AES256-SHA | |||||
DH-DSS-AES256-SHA | [0x36] | DH/DSS | AES | 256 | TLS_DH_DSS_WITH_AES_256_CBC_SHA |
DH-RSA-CAMELLIA256-SHA | [0x86] | DH/RSA | Camellia | 256 | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA |
DH-DSS-CAMELLIA256-SHA | [0x85] | DH/DSS | Camellia | 256 | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA |
ECDH-RSA-AES256-SHA | [0xc00f] | ECDH/RSA | AES | 256 | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
ECDH-ECDSA-AES256-SHA | [0xc005] | ECDH/ECDSA | AES | 256 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
CAMELLIA256-SHA | [0x84] | RSA | Camellia | 256 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |
PSK-AES256-CBC-SHA | [0x8d] | PSK | AES | 256 | TLS_PSK_WITH_AES_256_CBC_SHA |
DHE-DSS-AES128-SHA | [0x32] | DH | AES | 128 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
DH-RSA-AES128-SHA | [0x31] | DH/RSA | AES | 128 | TLS_DH_RSA_WITH_AES_128_CBC_SHA |
DH-DSS-AES128-SHA | [0x30] | DH/DSS | AES | 128 | TLS_DH_DSS_WITH_AES_128_CBC_SHA |
DH-RSA-CAMELLIA128-SHA | [0x43] | DH/RSA | Camellia | 128 | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA |
DH-DSS-CAMELLIA128-SHA | [0xbb] | DH/DSS | Camellia | 128 | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 |
ECDH-RSA-AES128-SHA | [0xc00e] | ECDH/RSA | AES | 128 | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
ECDH-ECDSA-AES128-SHA | [0xc004] | ECDH/ECDSA | AES | 128 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
SEED-SHA | [0x96] | RSA | SEED | 128 | TLS_RSA_WITH_SEED_CBC_SHA |
CAMELLIA128-SHA | |||||
PSK-AES128-CBC-SHA | [0x8c] | PSK | AES | 128 | TLS_PSK_WITH_AES_128_CBC_SHA |
DES-CBC3-SHA | [0x0701c0] | RSA | 3DES | 168 | SSL_CK_DES_192_EDE3_CBC_WITH_SHA |
IDEA-CBC-SHA | [0x07] | RSA | IDEA | 128 | TLS_RSA_WITH_IDEA_CBC_SHA |
ECDHE-RSA-DES-CBC3-SHA | [0xc012] | ECDH | 3DES | 168 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
ECDHE-ECDSA-DES-CBC3-SHA | [0xc008] | ECDH | 3DES | 168 | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
DHE-RSA-DES-CBC3-SHA | |||||
DHE-DSS-DES-CBC3-SHA | |||||
DH-RSA-DES-CBC3-SHA | [0x10] | DH/RSA | 3DES | 168 | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA |
DH-DSS-DES-CBC3-SHA | [0x0d] | DH/DSS | 3DES | 168 | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA |
ECDH-RSA-DES-CBC3-SHA | [0xc00d] | ECDH/RSA | 3DES | 168 | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA |
ECDH-ECDSA-DES-CBC3-SHA | [0xc003] | ECDH/ECDSA | 3DES | 168 | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
PSK-3DES-EDE-CBC-SHA | [0x8b] | PSK | 3DES | 168 | TLS_PSK_WITH_3DES_EDE_CBC_SHA |
KRB5-IDEA-CBC-SHA | [0x21] | KRB5 | IDEA | 128 | TLS_KRB5_WITH_IDEA_CBC_SHA |
KRB5-DES-CBC3-SHA | [0x1f] | KRB5 | 3DES | 168 | TLS_KRB5_WITH_3DES_EDE_CBC_SHA |
KRB5-IDEA-CBC-MD5 | [0x25] | KRB5 | IDEA | 128 | TLS_KRB5_WITH_IDEA_CBC_MD5 |
KRB5-DES-CBC3-MD5 | [0x23] | KRB5 | 3DES | 168 | TLS_KRB5_WITH_3DES_EDE_CBC_MD5 |
ECDHE-RSA-RC4-SHA | [0xc011] | ECDH | RC4 | 128 | TLS_ECDHE_RSA_WITH_RC4_128_SHA |
ECDHE-ECDSA-RC4-SHA | [0xc007] | ECDH | RC4 | 128 | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
ECDH-RSA-RC4-SHA | [0xc00c] | ECDH/RSA | RC4 | 128 | TLS_ECDH_RSA_WITH_RC4_128_SHA |
ECDH-ECDSA-RC4-SHA | [0xc002] | ECDH/ECDSA | RC4 | 128 | TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
RC4-SHA | [0x05] | RSA | RC4 | 128 | TLS_RSA_WITH_RC4_128_SHA |
RC4-MD5 | [0x04] | RSA | RC4 | 128 | TLS_RSA_WITH_RC4_128_MD5 |
PSK-RC4-SHA | [0x8a] | PSK | RC4 | 128 | TLS_PSK_WITH_RC4_128_SHA |
KRB5-RC4-SHA | [0x20] | KRB5 | RC4 | 128 | TLS_KRB5_WITH_RC4_128_SHA |
KRB5-RC4-MD5 | [0x24] | KRB5 | RC4 | 128 | TLS_KRB5_WITH_RC4_128_MD5 |
Deprecated Ciphers
Starting August 15, 2024, the Oracle Cloud Infrastructure Load Balancer service no longer supports the following legacy ciphers. This change applies to existing and new TLS-enabled load balancers.
-
DHE-DSS-AES256-GCM-SHA384
-
DHE-DSS-AES256-SHA256
-
ECDH-RSA-AES256-GCM-SHA384
-
ECDH-ECDSA-AES256-GCM-SHA384
-
ECDH-RSA-AES256-SHA384
-
ECDH-ECDSA-AES256-SHA384
-
DHE-DSS-AES128-GCM-SHA256
-
DHE-DSS-AES128-SHA256
-
ECDH-RSA-AES128-GCM-SHA256
-
ECDH-ECDSA-AES128-GCM-SHA256
-
ECDH-RSA-AES128-SHA256
-
ECDH-ECDSA-AES128-SHA256
-
IDEA-CBC-SHA
-
RC4-MD5
If you plan to use TLS v1.3 protocol with either a backend set or a listener on the same load balancer, you can't use any custom cipher suites that contains any of these deprecated ciphers.