Internet Assigned Numbers Authority

Transport Layer Security (TLS) Extensions

Created
2005-11-15
Last Updated
2024-11-20
Available Formats

XML

HTML

Plain text

Registries included below

TLS ExtensionType Values

Registration Procedure(s)
Specification Required
Expert(s)
Yoav Nir, Rich Salz, Nick Sullivan
Reference
[RFC8446][RFC8447][RFC9146]
Note
Registration requests should be sent to the mailing list described 
in [RFC 8447, Section 17]. If approved, designated experts should 
notify IANA within three weeks. For assistance, please contact 
iana@iana.org.
    
Note
The role of the designated expert is described in [RFC8447].
The designated expert [RFC8126] ensures that the specification is
publicly available.  It is sufficient to have an Internet-Draft
(that is posted and never published as an RFC) or a document from
another standards body, industry consortium, university site, etc.
The expert may provide more in-depth reviews, but their approval
should not be taken as an endorsement of the extension.  
    
Note
As specified in [RFC8126], assignments made in the Private Use
space are not generally useful for broad interoperability.  It is
the responsibility of those making use of the Private Use range to
ensure that no conflicts occur (within the intended scope of use).
For widespread experiments, temporary reservations are available.
    
Note
If an item is not marked as "Recommended", it does not
necessarily mean that it is flawed; rather, it indicates that the
item either has not been through the IETF consensus process, has
limited applicability, or is intended only for specific use cases.
    
Note
The addition of the "CR" to the "TLS 1.3" column for the
server_name(0) extension only marks the extension as valid in a 
ClientCertificateRequest created as part of client-generated
authenticator requests.
    
Available Formats

CSV
Value Extension Name TLS 1.3 DTLS-Only Recommended Reference
0 server_name CH, EE, CR N Y [RFC6066][RFC9261]
1 max_fragment_length CH, EE N N [RFC6066][RFC8449]
2 client_certificate_url - N Y [RFC6066]
3 trusted_ca_keys - N Y [RFC6066]
4 truncated_hmac - N N [RFC6066][IESG Action 2018-08-16]
5 status_request CH, CR, CT N Y [RFC6066]
6 user_mapping - N Y [RFC4681]
7 client_authz - N N [RFC5878]
8 server_authz - N N [RFC5878]
9 cert_type - N N [RFC6091]
10 supported_groups (renamed from "elliptic_curves") CH, EE N Y [RFC8422][RFC7919]
11 ec_point_formats - N Y [RFC8422]
12 srp - N N [RFC5054]
13 signature_algorithms CH, CR N Y [RFC8446]
14 use_srtp CH, EE N Y [RFC5764]
15 heartbeat CH, EE N Y [RFC6520]
16 application_layer_protocol_negotiation CH, EE N Y [RFC7301]
17 status_request_v2 - N Y [RFC6961]
18 signed_certificate_timestamp CH, CR, CT N N [RFC6962]
19 client_certificate_type CH, EE N Y [RFC7250]
20 server_certificate_type CH, EE N Y [RFC7250]
21 padding CH N Y [RFC7685]
22 encrypt_then_mac - N Y [RFC7366]
23 extended_master_secret - N Y [RFC7627]
24 token_binding - N Y [RFC8472]
25 cached_info - N Y [RFC7924]
26 tls_lts - N N [draft-gutmann-tls-lts]
27 compress_certificate CH, CR N Y [RFC8879]
28 record_size_limit CH, EE N Y [RFC8449]
29 pwd_protect CH N N [RFC8492]
30 pwd_clear CH N N [RFC8492]
31 password_salt CH, SH, HRR N N [RFC8492]
32 ticket_pinning CH, EE N N [RFC8672]
33 tls_cert_with_extern_psk CH, SH N N [RFC8773]
34 delegated_credential CH, CR, CT N Y [RFC9345]
35 session_ticket (renamed from "SessionTicket TLS") - N Y [RFC5077][RFC8447]
36 TLMSP - N N [ETSI TS 103 523-2]
37 TLMSP_proxying - N N [ETSI TS 103 523-2]
38 TLMSP_delegate - N N [ETSI TS 103 523-2]
39 supported_ekt_ciphers CH, EE N Y [RFC8870]
40 Reserved [tls-reg-review mailing list]
41 pre_shared_key CH, SH N Y [RFC8446]
42 early_data CH, EE, NST N Y [RFC8446]
43 supported_versions CH, SH, HRR N Y [RFC8446]
44 cookie CH, HRR N Y [RFC8446]
45 psk_key_exchange_modes CH N Y [RFC8446]
46 Reserved [tls-reg-review mailing list]
47 certificate_authorities CH, CR N Y [RFC8446]
48 oid_filters CR N Y [RFC8446]
49 post_handshake_auth CH N Y [RFC8446]
50 signature_algorithms_cert CH, CR N Y [RFC8446]
51 key_share CH, SH, HRR N Y [RFC8446][RFC Errata 5483]
52 transparency_info CH, CR, CT N Y [RFC9162]
53 connection_id (deprecated) - Y N [RFC9146]
54 connection_id CH, SH Y N [RFC9146]
55 external_id_hash CH, EE N Y [RFC8844]
56 external_session_id CH, EE N Y [RFC8844]
57 quic_transport_parameters CH, EE N Y [RFC9001]
58 ticket_request CH, EE N Y [RFC9149]
59 dnssec_chain CH, CT N N [RFC9102][RFC Errata 6860]
60 sequence_number_encryption_algorithms CH, HRR, SH Y N [draft-pismenny-tls-dtls-plaintext-sequence-number-01]
61 rrc CH, SH Y N [draft-ietf-tls-dtls-rrc-10]
62 tls_flags CH,SH,HRR,EE,CR,CT,NST N N [draft-ietf-tls-tlsflags-14]
63-2569 Unassigned
2570 Reserved CH, CR, NST N N [RFC8701]
2571-6681 Unassigned
6682 Reserved CH, CR, NST N N [RFC8701]
6683-10793 Unassigned
10794 Reserved CH, CR, NST N N [RFC8701]
10795-14905 Unassigned
14906 Reserved CH, CR, NST N N [RFC8701]
14907-19017 Unassigned
19018 Reserved CH, CR, NST N N [RFC8701]
19019-23129 Unassigned
23130 Reserved CH, CR, NST N N [RFC8701]
23131-27241 Unassigned
27242 Reserved CH, CR, NST N N [RFC8701]
27243-31353 Unassigned
31354 Reserved CH, CR, NST N N [RFC8701]
31355-35465 Unassigned
35466 Reserved CH, CR, NST N N [RFC8701]
35467-39577 Unassigned
39578 Reserved CH, CR, NST N N [RFC8701]
39579-43689 Unassigned
43690 Reserved CH, CR, NST N N [RFC8701]
43691-47801 Unassigned
47802 Reserved CH, CR, NST N N [RFC8701]
47803-51913 Unassigned
51914 Reserved CH, CR, NST N N [RFC8701]
51915-56025 Unassigned
56026 Reserved CH, CR, NST N N [RFC8701]
56027-60137 Unassigned
60138 Reserved CH, CR, NST N N [RFC8701]
60139-64249 Unassigned
64250 Reserved CH, CR, NST N N [RFC8701]
64251-64767 Unassigned
64768 ech_outer_extensions CH [2] N N [draft-ietf-tls-esni-17]
64769-65036 Unassigned
65037 encrypted_client_hello CH, HRR, EE N N [draft-ietf-tls-esni-17]
65038-65279 Unassigned
65280 Reserved for Private Use [RFC8446]
65281 renegotiation_info - N Y [RFC5746]
65282-65535 Reserved for Private Use [RFC8446]

TLS Certificate Types

Registration Procedure(s)
Specification Required
Expert(s)
Yoav Nir, Rich Salz, Nick Sullivan
Reference
[RFC6091][RFC8446][RFC8447]
Note
Registration requests should be sent to the mailing list described 
in [RFC 8447, Section 17]. If approved, designated experts should 
notify IANA within three weeks. For assistance, please contact 
iana@iana.org.
    
Note
The role of the designated expert is described in [RFC8447].
The designated expert [RFC8126] ensures that the specification is
publicly available.  It is sufficient to have an Internet-Draft
(that is posted and never published as an RFC) or a document from
another standards body, industry consortium, university site, etc.
The expert may provide more in-depth reviews, but their approval
should not be taken as an endorsement of the certificate type.
    
Note
If an item is not marked as "Recommended", it does not
necessarily mean that it is flawed; rather, it indicates that
the item either has not been through the IETF consensus process,
has limited applicability, or is intended only for specific use
cases.
    
Available Formats

CSV
Value Name Recommended Reference Comment
0 X509 Y [RFC6091][RFC Errata 5976] Was X.509 before TLS 1.3.
1 OpenPGP_RESERVED N [RFC6091][RFC8446] Used in TLS versions prior to 1.3.
2 Raw Public Key Y [RFC7250]
3 1609Dot2 N [RFC8902]
4-223 Unassigned
224-255 Reserved for Private Use [RFC6091]

TLS Certificate Status Types

Registration Procedure(s)
IETF Review
Reference
[RFC6961][RFC8446]
Available Formats

CSV
Value Description Reference Comment
0 Reserved [RFC6961]
1 ocsp [RFC6066][RFC6961]
2 ocsp_multi_RESERVED [RFC6961][RFC8446] Used in TLS versions prior to 1.3.
3-255 Unassigned

TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs

Registration Procedure(s)
Expert Review
Expert(s)
Yoav Nir, Rich Salz, Nick Sullivan
Reference
[RFC7301][RFC8447]
Note
Registration requests should be sent to the mailing list described 
in [RFC 8447, Section 17]. If approved, designated experts should 
notify IANA within three weeks. For assistance, please contact 
iana@iana.org.
    
Available Formats

CSV
Protocol Identification Sequence Reference
Reserved 0x0A 0x0A [RFC8701]
Reserved 0x1A 0x1A [RFC8701]
Reserved 0x2A 0x2A [RFC8701]
Reserved 0x3A 0x3A [RFC8701]
Reserved 0x4A 0x4A [RFC8701]
Reserved 0x5A 0x5A [RFC8701]
Reserved 0x6A 0x6A [RFC8701]
Reserved 0x7A 0x7A [RFC8701]
Reserved 0x8A 0x8A [RFC8701]
Reserved 0x9A 0x9A [RFC8701]
Reserved 0xAA 0xAA [RFC8701]
Reserved 0xBA 0xBA [RFC8701]
Reserved 0xCA 0xCA [RFC8701]
Reserved 0xDA 0xDA [RFC8701]
Reserved 0xEA 0xEA [RFC8701]
Reserved 0xFA 0xFA [RFC8701]
HTTP/0.9 0x68 0x74 0x74 0x70 0x2f 0x30 0x2e 0x39 ("http/0.9") [RFC1945]
HTTP/1.0 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x30 ("http/1.0") [RFC1945]
HTTP/1.1 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x31 ("http/1.1") [RFC9112]
SPDY/1 0x73 0x70 0x64 0x79 0x2f 0x31 ("spdy/1") [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1]
SPDY/2 0x73 0x70 0x64 0x79 0x2f 0x32 ("spdy/2") [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft2]
SPDY/3 0x73 0x70 0x64 0x79 0x2f 0x33 ("spdy/3") [http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3]
Traversal Using Relays around NAT (TURN) 0x73 0x74 0x75 0x6E 0x2E 0x74 0x75 0x72 0x6E ("stun.turn") [RFC7443]
NAT discovery using Session Traversal Utilities for NAT (STUN) 0x73 0x74 0x75 0x6E 0x2E 0x6e 0x61 0x74 0x2d 0x64 0x69 0x73 0x63 0x6f 0x76 0x65 0x72 0x79 ("stun.nat-discovery") [RFC7443]
HTTP/2 over TLS 0x68 0x32 ("h2") [RFC9113]
HTTP/2 over TCP 0x68 0x32 0x63 ("h2c") [1][RFC9113]
WebRTC Media and Data 0x77 0x65 0x62 0x72 0x74 0x63 ("webrtc") [RFC8833]
Confidential WebRTC Media and Data 0x63 0x2d 0x77 0x65 0x62 0x72 0x74 0x63 ("c-webrtc") [RFC8833]
FTP 0x66 0x74 0x70 ("ftp") [RFC959][RFC4217]
IMAP 0x69 0x6d 0x61 0x70 ("imap") [RFC2595]
POP3 0x70 0x6f 0x70 0x33 ("pop3") [RFC2595]
ManageSieve 0x6d 0x61 0x6e 0x61 0x67 0x65 0x73 0x69 0x65 0x76 0x65 ("managesieve") [RFC5804]
CoAP (over TLS) 0x63 0x6f 0x61 0x70 ("coap") [RFC8323]
CoAP (over DTLS) 0x63 0x6f ("co") [draft-lenders-core-coap-dtls-svcb-00]
XMPP jabber:client namespace 0x78 0x6d 0x70 0x70 0x2d 0x63 0x6c 0x69 0x65 0x6e 0x74 ("xmpp-client") [https://xmpp.org/extensions/xep-0368.html]
XMPP jabber:server namespace 0x78 0x6d 0x70 0x70 0x2d 0x73 0x65 0x72 0x76 0x65 0x72 ("xmpp-server") [https://xmpp.org/extensions/xep-0368.html]
acme-tls/1 0x61 0x63 0x6d 0x65 0x2d 0x74 0x6c 0x73 0x2f 0x31 ("acme-tls/1") [RFC8737]
OASIS Message Queuing Telemetry Transport (MQTT) 0x6d 0x71 0x74 0x74 (“mqtt”) [http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html]
DNS-over-TLS 0x64 0x6F 0x74 ("dot") [RFC7858]
Network Time Security Key Establishment, version 1 0x6E 0x74 0x73 0x6B 0x65 0x2F 0x31 ("ntske/1") [RFC8915, Section 4]
SunRPC 0x73 0x75 0x6e 0x72 0x70 0x63 ("sunrpc") [RFC9289]
HTTP/3 0x68 0x33 ("h3") [RFC9114]
SMB2 0x73 0x6D 0x62 (“smb”) [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962]
IRC 0x69 0x72 0x63 ("irc") [RFC1459]
NNTP (reading) 0x6E 0x6E 0x74 0x70 ("nntp") [RFC3977]
NNTP (transit) 0x6E 0x6E 0x73 0x70 ("nnsp") [RFC3977]
DoQ 0x64 0x6F 0x71 ("doq") [RFC9250]
SIP 0x73 0x69 0x70 0x2f 0x32 ("sip/2") [RFC3261]
TDS/8.0 0x74 0x64 0x73 0x2f 0x38 0x2e 0x30 ("tds/8.0") [[MS-TDS]: Tabular Data Stream Protocol]
DICOM 0x64 0x69 0x63 0x6f 0x6d ("dicom") [https://www.dicomstandard.org/current]
PostgreSQL 0x70 0x6F 0x73 0x74 0x67 0x72 0x65 0x73 0x71 0x6C ("postgresql") [https://www.postgresql.org/docs/current/protocol.html]
RADIUS/1.0 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x30 ("radius/1.0") [RFC-ietf-radext-radiusv11-11]
RADIUS/1.1 0x72 0x61 0x64 0x69 0x75 0x73 0x2f 0x31 0x2e 0x31 ("radius/1.1") [RFC-ietf-radext-radiusv11-11]

TLS CachedInformationType Values

Expert(s)
Yoav Nir, Rich Salz, Nick Sullivan
Reference
[RFC7924]
Note
Requests for assignments from the registry's Specification 
Required range should be sent to the mailing list described in 
[RFC 8447, Section 17]. If approved, designated experts should 
notify IANA within three weeks. For assistance, please contact 
iana@iana.org.
    
Available Formats

CSV
Range Registration Procedures
0-63 Standards Action
64-223 Specification Required
Value Description Reference
0 Reserved [RFC7924]
1 cert [RFC7924]
2 cert_req [RFC7924]
3-223 Unassigned
224-255 Reserved for Private Use [RFC7924]

TLS Certificate Compression Algorithm IDs

Expert(s)
Yoav Nir, Rich Salz, Nick Sullivan
Reference
[RFC8879]
Note
Requests for assignments from the registry's Specification 
Required range should be sent to the mailing list described in 
[RFC 8447, Section 17]. If approved, designated experts should 
notify IANA within three weeks. For assistance, please contact 
iana@iana.org.
    
Available Formats

CSV
Range Registration Procedures
1-255 IETF Review
256-16383 Specification Required
16384-65535 Experimental Use
Algorithm Number Description Reference
0 Reserved [RFC8879]
1 zlib [RFC8879]
2 brotli [RFC8879]
3 zstd [RFC8879]
4-16383 Unassigned
16384-65535 Reserved for Experimental Use [RFC8879]

Footnotes

[1]
This entry reserves an identifier for use within a cleartext version 
of a protocol and is not allowed to appear in a TLS ALPN negotiation.
    
[2]
Only appears in inner CH.