Jump to
Stay tuned for
more insights
Follow us on
Null Ciphers Supported
NULL ciphers offer no true cryptographic data confidentiality. Instead of secure mathematical algorithms to protect data, null ciphers use predefined blocks of data to obfuscate plain-text. No protection is actually provided by null ciphers and should not be used in production environments where confidentiality is required.
These ciphers should only be used in isolated environments where latency is critical and other protections exist on data streams.
List of NULL Ciphers Suites (IANA and OpenSSL)
| Cipher Name (IANA) | Cipher Name (OpenSSL) | Value |
|---|---|---|
| TLS_NULL_WITH_NULL_NULL | N/A | 0x00,0x00 |
| TLS_RSA_WITH_NULL_MD5 | NULL-MD5 | 0x00,0x01 |
| TLS_RSA_WITH_NULL_SHA | NULL-SHA | 0x00,0x02 |
| TLS_PSK_WITH_NULL_SHA | PSK-NULL-SHA | 0x00,0x2C |
| TLS_DHE_PSK_WITH_NULL_SHA | DHE-PSK-NULL-SHA | 0x00,0x2D |
| TLS_RSA_PSK_WITH_NULL_SHA | RSA-PSK-NULL-SHA | 0x00,0x2E |
| TLS_RSA_WITH_NULL_SHA256 | NULL-SHA256 | 0x00,0x3B |
| TLS_PSK_WITH_NULL_SHA256 | N/A | 0x00,0xB0 |
| TLS_PSK_WITH_NULL_SHA384 | N/A | 0x00,0xB1 |
| TLS_DHE_PSK_WITH_NULL_SHA256 | N/A | 0x00,0xB4 |
| TLS_DHE_PSK_WITH_NULL_SHA384 | N/A | 0x00,0xB5 |
| TLS_RSA_PSK_WITH_NULL_SHA256 | N/A | 0x00,0xB8 |
| TLS_RSA_PSK_WITH_NULL_SHA384 | N/A | 0x00,0xB9 |
| TLS_ECDH_ECDSA_WITH_NULL_SHA | ECDH-ECDSA-NULL-SHA | 0xC0,0x01 |
| TLS_ECDHE_ECDSA_WITH_NULL_SHA | ECDHE-ECDSA-NULL-SHA | 0xC0,0x06 |
| TLS_ECDH_RSA_WITH_NULL_SHA | ECDH-RSA-NULL-SHA | 0xC0,0x0B |
| TLS_ECDHE_RSA_WITH_NULL_SHA | ECDHE-RSA-NULL-SHA | 0xC0,0x10 |
| TLS_ECDH_anon_WITH_NULL_SHA | AECDH-NULL-SHA | 0xC0,0x15 |
| TLS_ECDHE_PSK_WITH_NULL_SHA | ECDHE-PSK-NULL-SHA | 0xC0,0x39 |
| TLS_ECDHE_PSK_WITH_NULL_SHA256 | ECDHE-PSK-NULL-SHA256 | 0xC0,0x3A |
| TLS_ECDHE_PSK_WITH_NULL_SHA384 | ECDHE-PSK-NULL-SHA384 | 0xC0,0x3B |
Remediation
Virtue Security recommends that NULL ciphers are explicitly disabled. Additionally, support of NULL cipher suites often highlights a more severe problem of software which is significantly out of date which poses a broader systemic risk to the organization.
