[Transport Layer Security (TLS) Parameters]
Registries Included Below
Yoav Nir, Rich Salz, Nick Sullivan
If the "Specification Required" [RFC8126] procedure applies, registration requests can be sent to iana@iana.org or submitted via IANA's [application form], per [RFC9847]. IANA will forward the submission to the expert mailing list described in [RFC 8447, Section 17] and track its progress. See the registration procedure table below for more information.
The role of the designated expert is described in [RFC8447].The designated expert [RFC8126] ensures that the specification ispublicly available. It is sufficient to have an Internet-Draft(that is posted and never published as an RFC) or a document fromanother standards body, industry consortium, university site, etc.The expert may provide more in-depth reviews, but their approvalshould not be taken as an endorsement of the extension.
As specified in [RFC8126], assignments made in the Private Usespace are not generally useful for broad interoperability. It isthe responsibility of those making use of the Private Use range toensure that no conflicts occur (within the intended scope of use).For widespread experiments, temporary reservations are available.
If the "Recommended" column is set to "N", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases. If the "Recommended" column is set to "D," the item is discouraged and SHOULD NOT or MUST NOT be used, depending upon the situation; consult the item's references for clarity.
Abbreviations that may appear in the "TLS 1.3" field include "CH" (ClientHello), "SH" (ServerHello), "EE" (EncryptedExtensions), "CT" (Certificate), "CR" (CertificateRequest), "NST" (NewSessionTicket), and "HRR" (HelloRetryRequest).
The addition of the "CR" to the "TLS 1.3" column for theserver_name(0) extension only marks the extension as valid in a ClientCertificateRequest created as part of client-generatedauthenticator requests.
Any TLS entry added after the IESG approves publication of [RFC-ietf-tls-tls12-frozen-08] is intended for TLS 1.3 or later, and makes no similar requirementon DTLS. Such entries should have an informal indication like "For TLS 1.3 or later" in that entry, such as the "Comment" column.
| Range | Registration Procedures |
|---|---|
| "Recommended" set to/transitioning from "Y" or "D" | Either Standards Action With Expert Review or IESG Approval |
| "Recommended" set to "N," not transitioning from another value | Specification Required |
| Value | Extension Name | TLS 1.3 | DTLS-Only | Recommended | Reference | Comment |
|---|---|---|---|---|---|---|
| 0 | server_name | CH, EE, CR | N | Y | [RFC6066][RFC9261] | |
| 1 | max_fragment_length | CH, EE | N | N | [RFC6066][RFC8449] | |
| 2 | client_certificate_url | - | N | Y | [RFC6066] | |
| 3 | trusted_ca_keys | - | N | Y | [RFC6066] | |
| 4 | truncated_hmac | - | N | D | [RFC6066][IESG Action 2018-08-16][RFC9847][Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol] | |
| 5 | status_request | CH, CR, CT | N | Y | [RFC6066] | |
| 6 | user_mapping | - | N | Y | [RFC4681] | |
| 7 | client_authz | - | N | N | [RFC5878] | |
| 8 | server_authz | - | N | N | [RFC5878] | |
| 9 | cert_type | - | N | N | [RFC6091] | |
| 10 | supported_groups (renamed from "elliptic_curves") | CH, EE | N | Y | [RFC8422][RFC7919] | |
| 11 | ec_point_formats | - | N | Y | [RFC8422] | |
| 12 | srp | - | N | N | [RFC5054] | |
| 13 | signature_algorithms | CH, CR | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 14 | use_srtp | CH, EE | N | Y | [RFC5764] | |
| 15 | heartbeat | CH, EE | N | Y | [RFC6520] | |
| 16 | application_layer_protocol_negotiation | CH, EE | N | Y | [RFC7301] | |
| 17 | status_request_v2 | - | N | Y | [RFC6961] | |
| 18 | signed_certificate_timestamp | CH, CR, CT | N | N | [RFC6962] | |
| 19 | client_certificate_type | CH, EE | N | Y | [RFC7250] | |
| 20 | server_certificate_type | CH, EE | N | Y | [RFC7250] | |
| 21 | padding | CH | N | Y | [RFC7685] | |
| 22 | encrypt_then_mac | - | N | Y | [RFC7366] | |
| 23 | extended_main_secret | - | N | Y | [RFC7627][RFC-ietf-tls-rfc8446bis-13] | |
| 24 | token_binding | - | N | Y | [RFC8472] | |
| 25 | cached_info | - | N | Y | [RFC7924] | |
| 26 | tls_lts | - | N | N | [draft-gutmann-tls-lts-11] | |
| 27 | compress_certificate | CH, CR | N | Y | [RFC8879] | |
| 28 | record_size_limit | CH, EE | N | Y | [RFC8449] | |
| 29 | pwd_protect | CH | N | N | [RFC8492] | |
| 30 | pwd_clear | CH | N | N | [RFC8492] | |
| 31 | password_salt | CH, SH, HRR | N | N | [RFC8492] | |
| 32 | ticket_pinning | CH, EE | N | N | [RFC8672] | |
| 33 | tls_cert_with_extern_psk | CH, SH | N | N | [RFC-ietf-tls-8773bis-12] | |
| 34 | delegated_credential | CH, CR, CT | N | Y | [RFC9345] | |
| 35 | session_ticket (renamed from "SessionTicket TLS") | - | N | Y | [RFC5077][RFC8447] | |
| 36 | TLMSP | - | N | N | [ETSI TS 103 523-2] | |
| 37 | TLMSP_proxying | - | N | N | [ETSI TS 103 523-2] | |
| 38 | TLMSP_delegate | - | N | N | [ETSI TS 103 523-2] | |
| 39 | supported_ekt_ciphers | CH, EE | N | Y | [RFC8870] | |
| 40 | Reserved | D | [RFC9847][tls-reg-review mailing list] | |||
| 41 | pre_shared_key | CH, SH | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 42 | early_data | CH, EE, NST | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 43 | supported_versions | CH, SH, HRR | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 44 | cookie | CH, HRR | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 45 | psk_key_exchange_modes | CH | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 46 | Reserved | D | [RFC9847][tls-reg-review mailing list] | |||
| 47 | certificate_authorities | CH, CR | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 48 | oid_filters | CR | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 49 | post_handshake_auth | CH | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 50 | signature_algorithms_cert | CH, CR | N | Y | [RFC-ietf-tls-rfc8446bis-13] | |
| 51 | key_share | CH, SH, HRR | N | Y | [RFC-ietf-tls-rfc8446bis-13][RFC Errata 5483] | |
| 52 | transparency_info | CH, CR, CT | N | Y | [RFC9162] | |
| 53 | connection_id (deprecated) | - | Y | D | [RFC9146][RFC9847] | |
| 54 | connection_id | CH, SH | Y | N | [RFC9146] | |
| 55 | external_id_hash | CH, EE | N | Y | [RFC8844] | |
| 56 | external_session_id | CH, EE | N | Y | [RFC8844] | |
| 57 | quic_transport_parameters | CH, EE | N | Y | [RFC9001] | |
| 58 | ticket_request | CH, EE | N | Y | [RFC9149] | |
| 59 | dnssec_chain | CH, CT | N | N | [RFC9102][RFC Errata 6860] | |
| 60 | sequence_number_encryption_algorithms | CH, HRR, SH | Y | N | [draft-pismenny-tls-dtls-plaintext-sequence-number-01] | |
| 61 | rrc | CH, SH | Y | N | [RFC-ietf-tls-dtls-rrc-20] | |
| 62 | tls_flags | CH,SH,HRR,EE,CR,CT,NST | N | N | [draft-ietf-tls-tlsflags-14] | |
| 63-2569 | Unassigned | |||||
| 2570 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 2571-6681 | Unassigned | |||||
| 6682 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 6683-10793 | Unassigned | |||||
| 10794 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 10795-14905 | Unassigned | |||||
| 14906 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 14907-19017 | Unassigned | |||||
| 19018 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 19019-23129 | Unassigned | |||||
| 23130 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 23131-27241 | Unassigned | |||||
| 27242 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 27243-31353 | Unassigned | |||||
| 31354 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 31355-35465 | Unassigned | |||||
| 35466 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 35467-39577 | Unassigned | |||||
| 39578 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 39579-43689 | Unassigned | |||||
| 43690 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 43691-47801 | Unassigned | |||||
| 47802 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 47803-51913 | Unassigned | |||||
| 51914 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 51915-56025 | Unassigned | |||||
| 56026 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 56027-60137 | Unassigned | |||||
| 60138 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 60139-64249 | Unassigned | |||||
| 64250 | Reserved | CH, CR, NST | N | N | [RFC8701] | |
| 64251-64767 | Unassigned | |||||
| 64768 | ech_outer_extensions | CH | N | Y | [RFC-ietf-tls-esni-25] | Only appears in inner CH. |
| 64769-65036 | Unassigned | |||||
| 65037 | encrypted_client_hello | CH, HRR, EE | N | Y | [RFC-ietf-tls-esni-25] | |
| 65038-65279 | Unassigned | |||||
| 65280 | Reserved for Private Use | [RFC-ietf-tls-rfc8446bis-13] | ||||
| 65281 | renegotiation_info | - | N | Y | [RFC5746] | |
| 65282-65535 | Reserved for Private Use | [RFC-ietf-tls-rfc8446bis-13] |
Yoav Nir, Rich Salz, Nick Sullivan
If the "Specification Required" [RFC8126] procedure applies, registration requests can be sent to iana@iana.org or submitted via IANA's [application form], per [RFC9847]. IANA will forward the submission to the expert mailing list described in [RFC 8447, Section 17] and track its progress. See the registration procedure table below for more information.
The role of the designated expert is described in [RFC8447].The designated expert [RFC8126] ensures that the specification ispublicly available. It is sufficient to have an Internet-Draft(that is posted and never published as an RFC) or a document fromanother standards body, industry consortium, university site, etc.The expert may provide more in-depth reviews, but their approvalshould not be taken as an endorsement of the certificate type.
If the "Recommended" column is set to "N", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases. If the "Recommended" column is set to "D," the item is discouraged and SHOULD NOT or MUST NOT be used, depending upon the situation; consult the item's references for clarity.
Any TLS entry added after the IESG approves publication of [RFC-ietf-tls-tls12-frozen-08] is intended for TLS 1.3 or later, and makes no similar requirementon DTLS. Such entries should have an informal indication like "For TLS 1.3 or later" in that entry, such as the "Comment" column.
| Range | Registration Procedures |
|---|---|
| "Recommended" set to/transitioning from "Y" or "D" | Either Standards Action With Expert Review or IESG Approval |
| "Recommended" set to "N," not transitioning from another value | Specification Required |
| Value | Name | Recommended | Reference | Comment |
|---|---|---|---|---|
| 0 | X509 | Y | [RFC6091][RFC Errata 5976] | Was X.509 before TLS 1.3. |
| 1 | OpenPGP_RESERVED | N | [RFC6091][RFC-ietf-tls-rfc8446bis-13] | Used in TLS versions prior to 1.3. |
| 2 | Raw Public Key | Y | [RFC7250] | |
| 3 | 1609Dot2 | N | [RFC8902] | |
| 4-223 | Unassigned | |||
| 224-255 | Reserved for Private Use | [RFC6091] |
IETF Review
Any TLS entry added after the IESG approves publication of [RFC-ietf-tls-tls12-frozen-08] is intended for TLS 1.3 or later, and makes no similar requirementon DTLS. Such entries should have an informal indication like "For TLS 1.3 or later" in that entry, such as the "Comment" column.
| Value | Description | Reference | Comment |
|---|---|---|---|
| 0 | Reserved | [RFC6961] | |
| 1 | ocsp | [RFC6066][RFC6961] | |
| 2 | ocsp_multi_RESERVED | [RFC6961][RFC-ietf-tls-rfc8446bis-13] | Used in TLS versions prior to 1.3. |
| 3-255 | Unassigned |
Expert Review
Yoav Nir, Rich Salz, Nick Sullivan
Registration requests should be sent to iana@iana.org or submitted via IANA's [application form], per [RFC9847]. IANA will forward the request to the expert mailing list described in [RFC 8447, Section 17] and track its progress.
When this registry has an HTTP-specific version added or modified,the YANG module [iana-http-versions] must be updated as definedin [RFC-ietf-netconf-http-client-server-31].
| Protocol | Identification Sequence | Reference | Comment |
|---|---|---|---|
| Reserved | 0x0A 0x0A | [RFC8701] | |
| Reserved | 0x1A 0x1A | [RFC8701] | |
| Reserved | 0x2A 0x2A | [RFC8701] | |
| Reserved | 0x3A 0x3A | [RFC8701] | |
| Reserved | 0x4A 0x4A | [RFC8701] | |
| Reserved | 0x5A 0x5A | [RFC8701] | |
| Reserved | 0x6A 0x6A | [RFC8701] | |
| Reserved | 0x7A 0x7A | [RFC8701] | |
| Reserved | 0x8A 0x8A | [RFC8701] | |
| Reserved | 0x9A 0x9A | [RFC8701] | |
| Reserved | 0xAA 0xAA | [RFC8701] | |
| Reserved | 0xBA 0xBA | [RFC8701] | |
| Reserved | 0xCA 0xCA | [RFC8701] | |
| Reserved | 0xDA 0xDA | [RFC8701] | |
| Reserved | 0xEA 0xEA | [RFC8701] | |
| Reserved | 0xFA 0xFA | [RFC8701] | |
| HTTP/0.9 | 0x68 0x74 0x74 0x70 0x2f 0x30 0x2e 0x39 ("http/0.9") | [RFC1945] | |
| HTTP/1.0 | 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x30 ("http/1.0") | [RFC1945] | |
| HTTP/1.1 | 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x31 ("http/1.1") | [RFC9112] | |
| SPDY/1 | 0x73 0x70 0x64 0x79 0x2f 0x31 ("spdy/1") | [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1] | |
| SPDY/2 | 0x73 0x70 0x64 0x79 0x2f 0x32 ("spdy/2") | [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft2] | |
| SPDY/3 | 0x73 0x70 0x64 0x79 0x2f 0x33 ("spdy/3") | [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3] | |
| Traversal Using Relays around NAT (TURN) | 0x73 0x74 0x75 0x6E 0x2E 0x74 0x75 0x72 0x6E ("stun.turn") | [RFC7443] | |
| NAT discovery using Session Traversal Utilities for NAT (STUN) | 0x73 0x74 0x75 0x6E 0x2E 0x6e 0x61 0x74 0x2d 0x64 0x69 0x73 0x63 0x6f 0x76 0x65 0x72 0x79 ("stun.nat-discovery") | [RFC7443] | |
| HTTP/2 over TLS | 0x68 0x32 ("h2") | [RFC9113] | |
| HTTP/2 over TCP | 0x68 0x32 0x63 ("h2c") | [RFC9113] | This entry reserves an identifier for use within a cleartext version of a protocol and is not allowed to appear in a TLS ALPN negotiation. |
| WebRTC Media and Data | 0x77 0x65 0x62 0x72 0x74 0x63 ("webrtc") | [RFC8833] | |
| Confidential WebRTC Media and Data | 0x63 0x2d 0x77 0x65 0x62 0x72 0x74 0x63 ("c-webrtc") | [RFC8833] | |
| FTP | 0x66 0x74 0x70 ("ftp") | [RFC959][RFC4217] | |
| IMAP | 0x69 0x6d 0x61 0x70 ("imap") | [RFC2595] | |
| POP3 | 0x70 0x6f 0x70 0x33 ("pop3") | [RFC2595] | |
| ManageSieve | 0x6d 0x61 0x6e 0x61 0x67 0x65 0x73 0x69 0x65 0x76 0x65 ("managesieve") | [RFC5804] | |
| CoAP (over TLS) | 0x63 0x6f 0x61 0x70 ("coap") | [RFC8323] | |
| CoAP (over DTLS) | 0x63 0x6f ("co") | [RFC7252][RFC-ietf-core-coap-dtls-alpn-05] | |
| XMPP jabber:client namespace | 0x78 0x6d 0x70 0x70 0x2d 0x63 0x6c 0x69 0x65 0x6e 0x74 ("xmpp-client") | [https://xmpp.org/extensions/xep-0368.html] | |
| XMPP jabber:server namespace | 0x78 0x6d 0x70 0x70 0x2d 0x73 0x65 0x72 0x76 0x65 0x72 ("xmpp-server") | [https://xmpp.org/extensions/xep-0368.html] | |
| acme-tls/1 | 0x61 0x63 0x6d 0x65 0x2d 0x74 0x6c 0x73 0x2f 0x31 ("acme-tls/1") | [RFC8737] | |
| OASIS Message Queuing Telemetry Transport (MQTT) | 0x6d 0x71 0x74 0x74 ("mqtt") | [http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html] | |
| DNS-over-TLS | 0x64 0x6F 0x74 ("dot") | [RFC7858] | |
| Network Time Security Key Establishment, version 1 | 0x6E 0x74 0x73 0x6B 0x65 0x2F 0x31 ("ntske/1") | [RFC8915, Section 4] | |
| SunRPC | 0x73 0x75 0x6e 0x72 0x70 0x63 ("sunrpc") | [RFC9289] | |
| HTTP/3 | 0x68 0x33 ("h3") | [RFC9114] | |
| SMB2 | 0x73 0x6D 0x62 ("smb") | [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962] | |
| IRC | 0x69 0x72 0x63 ("irc") | [RFC1459] | |
| NNTP (reading) | 0x6E 0x6E 0x74 0x70 ("nntp") | [RFC3977] | |
| NNTP (transit) | 0x6E 0x6E 0x73 0x70 ("nnsp") | [RFC3977] | |
| DoQ | 0x64 0x6F 0x71 ("doq") | [RFC9250] | |
| SIP | 0x73 0x69 0x70 0x2f 0x32 ("sip/2") | [RFC3261] | |
| TDS/8.0 | 0x74 0x64 0x73 0x2f 0x38 0x2e 0x30 ("tds/8.0") | [[MS-TDS]: Tabular Data Stream Protocol] | |
| DICOM | 0x64 0x69 0x63 0x6f 0x6d ("dicom") | [https://www.dicomstandard.org/current] | |
| PostgreSQL | 0x70 0x6F 0x73 0x74 0x67 0x72 0x65 0x73 0x71 0x6C ("postgresql") | [https://www.postgresql.org/docs/current/protocol.html] | |
| RADIUS/1.0 | 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x30 ("radius/1.0") | [RFC9765] | |
| RADIUS/1.1 | 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x31 ("radius/1.1") | [RFC9765] | |
| NetPerfMeter Protocol Control Channel (NPMP-CONTROL) | 0x6e 0x65 0x74 0x70 0x65 0x72 0x66 0x6d 0x65 0x74 0x65 0x72 0x2f 0x63 0x6f 0x6e 0x74 0x72 0x6f 0x6c 0x0a ("netperfmeter/control") | [https://www.nntb.no/~dreibh/netperfmeter/] | |
| NetPerfMeter Protocol Data Channel (NPMP-DATA) | 0x6e 0x65 0x74 0x70 0x65 0x72 0x66 0x6d 0x65 0x74 0x65 0x72 0x2f 0x64 0x61 0x74 0x61 0x0a ("netperfmeter/data") | [https://www.nntb.no/~dreibh/netperfmeter/] |
Yoav Nir, Rich Salz, Nick Sullivan
Requests for registration in the "Specification Required" [RFC8126] range should be sent to iana@iana.org or submitted via IANA's [application form], per [RFC9847]. IANA will forward the request to the expert mailing list described in [RFC 8447, Section 17] and track its progress. See the registration procedure table below for more information.
Any TLS entry added after the IESG approves publication of [RFC-ietf-tls-tls12-frozen-08] is intended for TLS 1.3 or later, and makes no similar requirementon DTLS. Such entries should have an informal indication like "For TLS 1.3 or later" in that entry, such as the "Comment" column.
| Range | Registration Procedures |
|---|---|
| 0-63 | Standards Action |
| 64-223 | Specification Required |
| Value | Description | Reference | Comment |
|---|---|---|---|
| 0 | Reserved | [RFC7924] | |
| 1 | cert | [RFC7924] | |
| 2 | cert_req | [RFC7924] | |
| 3-223 | Unassigned | ||
| 224-255 | Reserved for Private Use | [RFC7924] |
Yoav Nir, Rich Salz, Nick Sullivan
Requests for registration in the "Specification Required" [RFC8126] range should be sent to iana@iana.org or submitted via IANA's [application form], per [RFC9847]. IANA will forward the request to the expert mailing list described in [RFC 8447, Section 17] and track its progress. See the registration procedure table below for more information.
Any TLS entry added after the IESG approves publication of [RFC-ietf-tls-tls12-frozen-08] is intended for TLS 1.3 or later, and makes no similar requirementon DTLS. Such entries should have an informal indication like "For TLS 1.3 or later" in that entry, such as the "Comment" column.
| Range | Registration Procedures |
|---|---|
| 1-255 | IETF Review |
| 256-16383 | Specification Required |
| 16384-65535 | Experimental Use |
| Algorithm Number | Description | Reference | Comment |
|---|---|---|---|
| 0 | Reserved | [RFC8879] | |
| 1 | zlib | [RFC8879] | |
| 2 | brotli | [RFC8879] | |
| 3 | zstd | [RFC8879] | |
| 4-16383 | Unassigned | ||
| 16384-65535 | Reserved for Experimental Use | [RFC8879] |
