Transport Layer Security (TLS) Extensions
- Created
- 2005-11-15
- Last Updated
- 2024-12-06
- Available Formats
-
XML
HTML
Plain text
Registries included below
- TLS ExtensionType Values
- TLS Certificate Types
- TLS Certificate Status Types
- TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
- TLS CachedInformationType Values
- TLS Certificate Compression Algorithm IDs
TLS ExtensionType Values
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Yoav Nir, Rich Salz, Nick Sullivan
- Reference
- [RFC8446][RFC8447][RFC9146]
- Note
-
Registration requests should be sent to the mailing list described in [RFC 8447, Section 17]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org.
- Note
-
The role of the designated expert is described in [RFC8447]. The designated expert [RFC8126] ensures that the specification is publicly available. It is sufficient to have an Internet-Draft (that is posted and never published as an RFC) or a document from another standards body, industry consortium, university site, etc. The expert may provide more in-depth reviews, but their approval should not be taken as an endorsement of the extension.
- Note
-
As specified in [RFC8126], assignments made in the Private Use space are not generally useful for broad interoperability. It is the responsibility of those making use of the Private Use range to ensure that no conflicts occur (within the intended scope of use). For widespread experiments, temporary reservations are available.
- Note
-
If an item is not marked as "Recommended", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases.
- Note
-
The addition of the "CR" to the "TLS 1.3" column for the server_name(0) extension only marks the extension as valid in a ClientCertificateRequest created as part of client-generated authenticator requests.
- Available Formats
-
CSV
Value | Extension Name | TLS 1.3 | DTLS-Only | Recommended | Reference |
---|---|---|---|---|---|
0 | server_name | CH, EE, CR | N | Y | [RFC6066][RFC9261] |
1 | max_fragment_length | CH, EE | N | N | [RFC6066][RFC8449] |
2 | client_certificate_url | - | N | Y | [RFC6066] |
3 | trusted_ca_keys | - | N | Y | [RFC6066] |
4 | truncated_hmac | - | N | N | [RFC6066][IESG Action 2018-08-16] |
5 | status_request | CH, CR, CT | N | Y | [RFC6066] |
6 | user_mapping | - | N | Y | [RFC4681] |
7 | client_authz | - | N | N | [RFC5878] |
8 | server_authz | - | N | N | [RFC5878] |
9 | cert_type | - | N | N | [RFC6091] |
10 | supported_groups (renamed from "elliptic_curves") | CH, EE | N | Y | [RFC8422][RFC7919] |
11 | ec_point_formats | - | N | Y | [RFC8422] |
12 | srp | - | N | N | [RFC5054] |
13 | signature_algorithms | CH, CR | N | Y | [RFC8446] |
14 | use_srtp | CH, EE | N | Y | [RFC5764] |
15 | heartbeat | CH, EE | N | Y | [RFC6520] |
16 | application_layer_protocol_negotiation | CH, EE | N | Y | [RFC7301] |
17 | status_request_v2 | - | N | Y | [RFC6961] |
18 | signed_certificate_timestamp | CH, CR, CT | N | N | [RFC6962] |
19 | client_certificate_type | CH, EE | N | Y | [RFC7250] |
20 | server_certificate_type | CH, EE | N | Y | [RFC7250] |
21 | padding | CH | N | Y | [RFC7685] |
22 | encrypt_then_mac | - | N | Y | [RFC7366] |
23 | extended_master_secret | - | N | Y | [RFC7627] |
24 | token_binding | - | N | Y | [RFC8472] |
25 | cached_info | - | N | Y | [RFC7924] |
26 | tls_lts | - | N | N | [draft-gutmann-tls-lts-11] |
27 | compress_certificate | CH, CR | N | Y | [RFC8879] |
28 | record_size_limit | CH, EE | N | Y | [RFC8449] |
29 | pwd_protect | CH | N | N | [RFC8492] |
30 | pwd_clear | CH | N | N | [RFC8492] |
31 | password_salt | CH, SH, HRR | N | N | [RFC8492] |
32 | ticket_pinning | CH, EE | N | N | [RFC8672] |
33 | tls_cert_with_extern_psk | CH, SH | N | N | [RFC8773] |
34 | delegated_credential | CH, CR, CT | N | Y | [RFC9345] |
35 | session_ticket (renamed from "SessionTicket TLS") | - | N | Y | [RFC5077][RFC8447] |
36 | TLMSP | - | N | N | [ETSI TS 103 523-2] |
37 | TLMSP_proxying | - | N | N | [ETSI TS 103 523-2] |
38 | TLMSP_delegate | - | N | N | [ETSI TS 103 523-2] |
39 | supported_ekt_ciphers | CH, EE | N | Y | [RFC8870] |
40 | Reserved | [tls-reg-review mailing list] | |||
41 | pre_shared_key | CH, SH | N | Y | [RFC8446] |
42 | early_data | CH, EE, NST | N | Y | [RFC8446] |
43 | supported_versions | CH, SH, HRR | N | Y | [RFC8446] |
44 | cookie | CH, HRR | N | Y | [RFC8446] |
45 | psk_key_exchange_modes | CH | N | Y | [RFC8446] |
46 | Reserved | [tls-reg-review mailing list] | |||
47 | certificate_authorities | CH, CR | N | Y | [RFC8446] |
48 | oid_filters | CR | N | Y | [RFC8446] |
49 | post_handshake_auth | CH | N | Y | [RFC8446] |
50 | signature_algorithms_cert | CH, CR | N | Y | [RFC8446] |
51 | key_share | CH, SH, HRR | N | Y | [RFC8446][RFC Errata 5483] |
52 | transparency_info | CH, CR, CT | N | Y | [RFC9162] |
53 | connection_id (deprecated) | - | Y | N | [RFC9146] |
54 | connection_id | CH, SH | Y | N | [RFC9146] |
55 | external_id_hash | CH, EE | N | Y | [RFC8844] |
56 | external_session_id | CH, EE | N | Y | [RFC8844] |
57 | quic_transport_parameters | CH, EE | N | Y | [RFC9001] |
58 | ticket_request | CH, EE | N | Y | [RFC9149] |
59 | dnssec_chain | CH, CT | N | N | [RFC9102][RFC Errata 6860] |
60 | sequence_number_encryption_algorithms | CH, HRR, SH | Y | N | [draft-pismenny-tls-dtls-plaintext-sequence-number-01] |
61 | rrc | CH, SH | Y | N | [draft-ietf-tls-dtls-rrc-10] |
62 | tls_flags | CH,SH,HRR,EE,CR,CT,NST | N | N | [draft-ietf-tls-tlsflags-14] |
63-2569 | Unassigned | ||||
2570 | Reserved | CH, CR, NST | N | N | [RFC8701] |
2571-6681 | Unassigned | ||||
6682 | Reserved | CH, CR, NST | N | N | [RFC8701] |
6683-10793 | Unassigned | ||||
10794 | Reserved | CH, CR, NST | N | N | [RFC8701] |
10795-14905 | Unassigned | ||||
14906 | Reserved | CH, CR, NST | N | N | [RFC8701] |
14907-19017 | Unassigned | ||||
19018 | Reserved | CH, CR, NST | N | N | [RFC8701] |
19019-23129 | Unassigned | ||||
23130 | Reserved | CH, CR, NST | N | N | [RFC8701] |
23131-27241 | Unassigned | ||||
27242 | Reserved | CH, CR, NST | N | N | [RFC8701] |
27243-31353 | Unassigned | ||||
31354 | Reserved | CH, CR, NST | N | N | [RFC8701] |
31355-35465 | Unassigned | ||||
35466 | Reserved | CH, CR, NST | N | N | [RFC8701] |
35467-39577 | Unassigned | ||||
39578 | Reserved | CH, CR, NST | N | N | [RFC8701] |
39579-43689 | Unassigned | ||||
43690 | Reserved | CH, CR, NST | N | N | [RFC8701] |
43691-47801 | Unassigned | ||||
47802 | Reserved | CH, CR, NST | N | N | [RFC8701] |
47803-51913 | Unassigned | ||||
51914 | Reserved | CH, CR, NST | N | N | [RFC8701] |
51915-56025 | Unassigned | ||||
56026 | Reserved | CH, CR, NST | N | N | [RFC8701] |
56027-60137 | Unassigned | ||||
60138 | Reserved | CH, CR, NST | N | N | [RFC8701] |
60139-64249 | Unassigned | ||||
64250 | Reserved | CH, CR, NST | N | N | [RFC8701] |
64251-64767 | Unassigned | ||||
64768 | ech_outer_extensions | CH [2] | N | N | [draft-ietf-tls-esni-17] |
64769-65036 | Unassigned | ||||
65037 | encrypted_client_hello | CH, HRR, EE | N | N | [draft-ietf-tls-esni-17] |
65038-65279 | Unassigned | ||||
65280 | Reserved for Private Use | [RFC8446] | |||
65281 | renegotiation_info | - | N | Y | [RFC5746] |
65282-65535 | Reserved for Private Use | [RFC8446] |
TLS Certificate Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Yoav Nir, Rich Salz, Nick Sullivan
- Reference
- [RFC6091][RFC8446][RFC8447]
- Note
-
Registration requests should be sent to the mailing list described in [RFC 8447, Section 17]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org.
- Note
-
The role of the designated expert is described in [RFC8447]. The designated expert [RFC8126] ensures that the specification is publicly available. It is sufficient to have an Internet-Draft (that is posted and never published as an RFC) or a document from another standards body, industry consortium, university site, etc. The expert may provide more in-depth reviews, but their approval should not be taken as an endorsement of the certificate type.
- Note
-
If an item is not marked as "Recommended", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases.
- Available Formats
-
CSV
Value | Name | Recommended | Reference | Comment |
---|---|---|---|---|
0 | X509 | Y | [RFC6091][RFC Errata 5976] | Was X.509 before TLS 1.3. |
1 | OpenPGP_RESERVED | N | [RFC6091][RFC8446] | Used in TLS versions prior to 1.3. |
2 | Raw Public Key | Y | [RFC7250] | |
3 | 1609Dot2 | N | [RFC8902] | |
4-223 | Unassigned | |||
224-255 | Reserved for Private Use | [RFC6091] |
TLS Certificate Status Types
- Registration Procedure(s)
-
IETF Review
- Reference
- [RFC6961][RFC8446]
- Available Formats
-
CSV
Value | Description | Reference | Comment |
---|---|---|---|
0 | Reserved | [RFC6961] | |
1 | ocsp | [RFC6066][RFC6961] | |
2 | ocsp_multi_RESERVED | [RFC6961][RFC8446] | Used in TLS versions prior to 1.3. |
3-255 | Unassigned |
TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Yoav Nir, Rich Salz, Nick Sullivan
- Reference
- [RFC7301][RFC8447]
- Note
-
Registration requests should be sent to the mailing list described in [RFC 8447, Section 17]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org.
- Available Formats
-
CSV
Protocol | Identification Sequence | Reference |
---|---|---|
Reserved | 0x0A 0x0A | [RFC8701] |
Reserved | 0x1A 0x1A | [RFC8701] |
Reserved | 0x2A 0x2A | [RFC8701] |
Reserved | 0x3A 0x3A | [RFC8701] |
Reserved | 0x4A 0x4A | [RFC8701] |
Reserved | 0x5A 0x5A | [RFC8701] |
Reserved | 0x6A 0x6A | [RFC8701] |
Reserved | 0x7A 0x7A | [RFC8701] |
Reserved | 0x8A 0x8A | [RFC8701] |
Reserved | 0x9A 0x9A | [RFC8701] |
Reserved | 0xAA 0xAA | [RFC8701] |
Reserved | 0xBA 0xBA | [RFC8701] |
Reserved | 0xCA 0xCA | [RFC8701] |
Reserved | 0xDA 0xDA | [RFC8701] |
Reserved | 0xEA 0xEA | [RFC8701] |
Reserved | 0xFA 0xFA | [RFC8701] |
HTTP/0.9 | 0x68 0x74 0x74 0x70 0x2f 0x30 0x2e 0x39 ("http/0.9") | [RFC1945] |
HTTP/1.0 | 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x30 ("http/1.0") | [RFC1945] |
HTTP/1.1 | 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x31 ("http/1.1") | [RFC9112] |
SPDY/1 | 0x73 0x70 0x64 0x79 0x2f 0x31 ("spdy/1") | [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1] |
SPDY/2 | 0x73 0x70 0x64 0x79 0x2f 0x32 ("spdy/2") | [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft2] |
SPDY/3 | 0x73 0x70 0x64 0x79 0x2f 0x33 ("spdy/3") | [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3] |
Traversal Using Relays around NAT (TURN) | 0x73 0x74 0x75 0x6E 0x2E 0x74 0x75 0x72 0x6E ("stun.turn") | [RFC7443] |
NAT discovery using Session Traversal Utilities for NAT (STUN) | 0x73 0x74 0x75 0x6E 0x2E 0x6e 0x61 0x74 0x2d 0x64 0x69 0x73 0x63 0x6f 0x76 0x65 0x72 0x79 ("stun.nat-discovery") | [RFC7443] |
HTTP/2 over TLS | 0x68 0x32 ("h2") | [RFC9113] |
HTTP/2 over TCP | 0x68 0x32 0x63 ("h2c") | [1][RFC9113] |
WebRTC Media and Data | 0x77 0x65 0x62 0x72 0x74 0x63 ("webrtc") | [RFC8833] |
Confidential WebRTC Media and Data | 0x63 0x2d 0x77 0x65 0x62 0x72 0x74 0x63 ("c-webrtc") | [RFC8833] |
FTP | 0x66 0x74 0x70 ("ftp") | [RFC959][RFC4217] |
IMAP | 0x69 0x6d 0x61 0x70 ("imap") | [RFC2595] |
POP3 | 0x70 0x6f 0x70 0x33 ("pop3") | [RFC2595] |
ManageSieve | 0x6d 0x61 0x6e 0x61 0x67 0x65 0x73 0x69 0x65 0x76 0x65 ("managesieve") | [RFC5804] |
CoAP (over TLS) | 0x63 0x6f 0x61 0x70 ("coap") | [RFC8323] |
CoAP (over DTLS) | 0x63 0x6f ("co") | [draft-lenders-core-coap-dtls-svcb-00] |
XMPP jabber:client namespace | 0x78 0x6d 0x70 0x70 0x2d 0x63 0x6c 0x69 0x65 0x6e 0x74 ("xmpp-client") | [https://xmpp.org/extensions/xep-0368.html] |
XMPP jabber:server namespace | 0x78 0x6d 0x70 0x70 0x2d 0x73 0x65 0x72 0x76 0x65 0x72 ("xmpp-server") | [https://xmpp.org/extensions/xep-0368.html] |
acme-tls/1 | 0x61 0x63 0x6d 0x65 0x2d 0x74 0x6c 0x73 0x2f 0x31 ("acme-tls/1") | [RFC8737] |
OASIS Message Queuing Telemetry Transport (MQTT) | 0x6d 0x71 0x74 0x74 (“mqtt”) | [http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html] |
DNS-over-TLS | 0x64 0x6F 0x74 ("dot") | [RFC7858] |
Network Time Security Key Establishment, version 1 | 0x6E 0x74 0x73 0x6B 0x65 0x2F 0x31 ("ntske/1") | [RFC8915, Section 4] |
SunRPC | 0x73 0x75 0x6e 0x72 0x70 0x63 ("sunrpc") | [RFC9289] |
HTTP/3 | 0x68 0x33 ("h3") | [RFC9114] |
SMB2 | 0x73 0x6D 0x62 (“smb”) | [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962] |
IRC | 0x69 0x72 0x63 ("irc") | [RFC1459] |
NNTP (reading) | 0x6E 0x6E 0x74 0x70 ("nntp") | [RFC3977] |
NNTP (transit) | 0x6E 0x6E 0x73 0x70 ("nnsp") | [RFC3977] |
DoQ | 0x64 0x6F 0x71 ("doq") | [RFC9250] |
SIP | 0x73 0x69 0x70 0x2f 0x32 ("sip/2") | [RFC3261] |
TDS/8.0 | 0x74 0x64 0x73 0x2f 0x38 0x2e 0x30 ("tds/8.0") | [[MS-TDS]: Tabular Data Stream Protocol] |
DICOM | 0x64 0x69 0x63 0x6f 0x6d ("dicom") | [https://www.dicomstandard.org/current] |
PostgreSQL | 0x70 0x6F 0x73 0x74 0x67 0x72 0x65 0x73 0x71 0x6C ("postgresql") | [https://www.postgresql.org/docs/current/protocol.html] |
RADIUS/1.0 | 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x30 ("radius/1.0") | [RFC-ietf-radext-radiusv11-11] |
RADIUS/1.1 | 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x31 ("radius/1.1") | [RFC-ietf-radext-radiusv11-11] |
TLS CachedInformationType Values
- Expert(s)
-
Yoav Nir, Rich Salz, Nick Sullivan
- Reference
- [RFC7924]
- Note
-
Requests for assignments from the registry's Specification Required range should be sent to the mailing list described in [RFC 8447, Section 17]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org.
- Available Formats
-
CSV
Range | Registration Procedures |
---|---|
0-63 | Standards Action |
64-223 | Specification Required |
Value | Description | Reference |
---|---|---|
0 | Reserved | [RFC7924] |
1 | cert | [RFC7924] |
2 | cert_req | [RFC7924] |
3-223 | Unassigned | |
224-255 | Reserved for Private Use | [RFC7924] |
TLS Certificate Compression Algorithm IDs
- Expert(s)
-
Yoav Nir, Rich Salz, Nick Sullivan
- Reference
- [RFC8879]
- Note
-
Requests for assignments from the registry's Specification Required range should be sent to the mailing list described in [RFC 8447, Section 17]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org.
- Available Formats
-
CSV
Range | Registration Procedures |
---|---|
1-255 | IETF Review |
256-16383 | Specification Required |
16384-65535 | Experimental Use |
Algorithm Number | Description | Reference |
---|---|---|
0 | Reserved | [RFC8879] |
1 | zlib | [RFC8879] |
2 | brotli | [RFC8879] |
3 | zstd | [RFC8879] |
4-16383 | Unassigned | |
16384-65535 | Reserved for Experimental Use | [RFC8879] |
Footnotes
[1] |
This entry reserves an identifier for use within a cleartext version of a protocol and is not allowed to appear in a TLS ALPN negotiation. |
[2] |
Only appears in inner CH. |