Mapping OpenSSL Cipher Suite Names to Official Names and RFCs

OpenSSL, and a lot of software that uses it (httpd, nginx etc) have their own cipher suite names. To map from the OpenSSL cipher suite name, such as:


1) Look up the ID

Use the OpenSSL ciphers(1) tool to look up the cryptographic suite selector code (2 hex values used to represent that cipher suite on the wire) for that suite name.

For example with the suite name above:

$ openssl ciphers -V | grep 'ECDHE-ECDSA-AES256-SHA384' | awk '{ print $1 }'


3) Cross reference with IANA list

Look that ID up in the IANA list of TLS parameters.

For the ID above you can find it was defined in RFC5289, and has the name:



More Detail On Cipher Suite Names

Official (RFC specified) cipher suite names follow the convention:

TLS_<key exchange and authentication algorithms>_WITH_<bulk cipher and message authentication algorithms>

For example TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 when broken down specifies a cipher suite combining the following:

OpenSSL can also help with this breakdown:

$ openssl ciphers -V | grep 'ECDHE-ECDSA-AES256-SHA384'

0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384

See the key exchange (kx), authentication (Au), encoding (Enc) and message authentication code (Mac) fields.