Cipher suites: same name, different IDs, why?

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

Sorry if I missed with a community to ask.

Recently I stumbled on a fact that the same cipher suite can be designated by two different IDs, and this is not a typo nor single occasion.

For instance:
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047 and 0xC001
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048 and 0xC002
  


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE and 0xFFE1
  


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF and 0xFFE0
  

And few others more, like TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA.

So, the question is: why two codes are used to designate the same cipher suite? Is it a marker of legacy (broken?) implementation to distinguish? Or just a merge of two standards? Or something else?

tls ciphersuite

share|improve this question

edited 2 hours ago

kelalaka

2,199522

asked 3 hours ago

Yury Schkatula

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  TLS fingerprints. 0x0047 0%, 0xc001 0.07%
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only pocketbeat uses 0x0047 and it is belong to Elasticsearch and all your first numbers belongs to them. Here a list from IBM
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  It should be noted that all 4 of those examples are deprecated and should not be used
  – Richie Frame
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

favorite

Sorry if I missed with a community to ask.

Recently I stumbled on a fact that the same cipher suite can be designated by two different IDs, and this is not a typo nor single occasion.

For instance:
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047 and 0xC001
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048 and 0xC002
  


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE and 0xFFE1
  


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF and 0xFFE0
  

And few others more, like TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA.

So, the question is: why two codes are used to designate the same cipher suite? Is it a marker of legacy (broken?) implementation to distinguish? Or just a merge of two standards? Or something else?

tls ciphersuite

share|improve this question

edited 2 hours ago

kelalaka

2,199522

asked 3 hours ago

Yury Schkatula

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  TLS fingerprints. 0x0047 0%, 0xc001 0.07%
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only pocketbeat uses 0x0047 and it is belong to Elasticsearch and all your first numbers belongs to them. Here a list from IBM
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  It should be noted that all 4 of those examples are deprecated and should not be used
  – Richie Frame
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

favorite

up vote
3
down vote

favorite

Sorry if I missed with a community to ask.

Recently I stumbled on a fact that the same cipher suite can be designated by two different IDs, and this is not a typo nor single occasion.

For instance:
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047 and 0xC001
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048 and 0xC002
  


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE and 0xFFE1
  


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF and 0xFFE0
  

And few others more, like TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA.

So, the question is: why two codes are used to designate the same cipher suite? Is it a marker of legacy (broken?) implementation to distinguish? Or just a merge of two standards? Or something else?

tls ciphersuite

share|improve this question

edited 2 hours ago

kelalaka

2,199522

asked 3 hours ago

Yury Schkatula

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Sorry if I missed with a community to ask.

Recently I stumbled on a fact that the same cipher suite can be designated by two different IDs, and this is not a typo nor single occasion.

For instance:
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047 and 0xC001
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048 and 0xC002
  


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE and 0xFFE1
  


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF and 0xFFE0
  

And few others more, like TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA.

So, the question is: why two codes are used to designate the same cipher suite? Is it a marker of legacy (broken?) implementation to distinguish? Or just a merge of two standards? Or something else?

tls ciphersuite

tls ciphersuite

share|improve this question

edited 2 hours ago

kelalaka

2,199522

asked 3 hours ago

Yury Schkatula

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 2 hours ago

kelalaka

2,199522

asked 3 hours ago

Yury Schkatula

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

edited 2 hours ago

kelalaka

2,199522

edited 2 hours ago

kelalaka

2,199522

edited 2 hours ago

kelalaka

2,199522

2,199522

asked 3 hours ago

Yury Schkatula

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 3 hours ago

Yury Schkatula

1163

asked 3 hours ago

Yury Schkatula

1163

1163

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Yury Schkatula is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  TLS fingerprints. 0x0047 0%, 0xc001 0.07%
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only pocketbeat uses 0x0047 and it is belong to Elasticsearch and all your first numbers belongs to them. Here a list from IBM
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  It should be noted that all 4 of those examples are deprecated and should not be used
  – Richie Frame
  1 hour ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  TLS fingerprints. 0x0047 0%, 0xc001 0.07%
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only pocketbeat uses 0x0047 and it is belong to Elasticsearch and all your first numbers belongs to them. Here a list from IBM
  – kelalaka
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  It should be noted that all 4 of those examples are deprecated and should not be used
  – Richie Frame
  1 hour ago
  

  
  
  
  

TLS fingerprints. 0x0047 0%, 0xc001 0.07%
– kelalaka
2 hours ago

TLS fingerprints. 0x0047 0%, 0xc001 0.07%
– kelalaka
2 hours ago

Only pocketbeat uses 0x0047 and it is belong to Elasticsearch and all your first numbers belongs to them. Here a list from IBM
– kelalaka
2 hours ago

Only pocketbeat uses 0x0047 and it is belong to Elasticsearch and all your first numbers belongs to them. Here a list from IBM
– kelalaka
2 hours ago

1

1

It should be noted that all 4 of those examples are deprecated and should not be used
– Richie Frame
1 hour ago

It should be noted that all 4 of those examples are deprecated and should not be used
– Richie Frame
1 hour ago

add a comment | 

1 Answer
1

active

oldest

votes

up vote
3
down vote

These numbers belong to ElasticSeach;

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF
  

and 0x0047 has almost 0% at tlsfingerprint.io

The second numbers (0xC001,0xC001,0xFFE1,0xFFE0) belong to SSL V2.

The implementations can have different control by the maintainers, therefore it is good to have different numbers. It is bad that your original source doesn't list where they took the numbers.

share|improve this answer

answered 1 hour ago

kelalaka

2,199522

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Yury Schkatula is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63635%2fcipher-suites-same-name-different-ids-why%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

These numbers belong to ElasticSeach;

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF
  

and 0x0047 has almost 0% at tlsfingerprint.io

The second numbers (0xC001,0xC001,0xFFE1,0xFFE0) belong to SSL V2.

The implementations can have different control by the maintainers, therefore it is good to have different numbers. It is bad that your original source doesn't list where they took the numbers.

share|improve this answer

answered 1 hour ago

kelalaka

2,199522

add a comment | 

up vote
3
down vote

These numbers belong to ElasticSeach;

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF
  

and 0x0047 has almost 0% at tlsfingerprint.io

The second numbers (0xC001,0xC001,0xFFE1,0xFFE0) belong to SSL V2.

The implementations can have different control by the maintainers, therefore it is good to have different numbers. It is bad that your original source doesn't list where they took the numbers.

share|improve this answer

answered 1 hour ago

kelalaka

2,199522

add a comment | 

up vote
3
down vote

up vote
3
down vote

These numbers belong to ElasticSeach;

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF
  

and 0x0047 has almost 0% at tlsfingerprint.io

The second numbers (0xC001,0xC001,0xFFE1,0xFFE0) belong to SSL V2.

The implementations can have different control by the maintainers, therefore it is good to have different numbers. It is bad that your original source doesn't list where they took the numbers.

share|improve this answer

answered 1 hour ago

kelalaka

2,199522

These numbers belong to ElasticSeach;

• TLS_ECDH_ECDSA_WITH_NULL_SHA is 0x0047
  


• TLS_ECDH_ECDSA_WITH_RC4_128_SHA is 0x0048


• SSL_RSA_FIPS_WITH_DES_CBC_SHA is 0xFEFE


• SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is 0xFEFF
  

and 0x0047 has almost 0% at tlsfingerprint.io

The second numbers (0xC001,0xC001,0xFFE1,0xFFE0) belong to SSL V2.

The implementations can have different control by the maintainers, therefore it is good to have different numbers. It is bad that your original source doesn't list where they took the numbers.

share|improve this answer

answered 1 hour ago

kelalaka

2,199522

share|improve this answer

share|improve this answer

answered 1 hour ago

kelalaka

2,199522

answered 1 hour ago

kelalaka

2,199522

answered 1 hour ago

kelalaka

2,199522

2,199522

add a comment | 

add a comment | 

Yury Schkatula is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Yury Schkatula is a new contributor. Be nice, and check out our Code of Conduct.

Yury Schkatula is a new contributor. Be nice, and check out our Code of Conduct.

Yury Schkatula is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63635%2fcipher-suites-same-name-different-ids-why%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email