Transport Layer Security (TLS) Extensions
Transport Layer Security (TLS)
2005-11-15
2024-03-14
TLS ExtensionType Values
Transport Layer Security (TLS)
Yoav Nir, Rich Salz, Nick Sullivan
Specification Required
Registration requests should be sent to the mailing list described
in RFC 8447, Section 17. If approved, designated experts should
notify IANA within three weeks. For assistance, please contact
iana@iana.org.
The role of the designated expert is described in .
The designated expert ensures that the specification is
publicly available. It is sufficient to have an Internet-Draft
(that is posted and never published as an RFC) or a document from
another standards body, industry consortium, university site, etc.
The expert may provide more in-depth reviews, but their approval
should not be taken as an endorsement of the extension.
As specified in , assignments made in the Private Use
space are not generally useful for broad interoperability. It is
the responsibility of those making use of the Private Use range to
ensure that no conflicts occur (within the intended scope of use).
For widespread experiments, temporary reservations are available.
If an item is not marked as "Recommended", it does not
necessarily mean that it is flawed; rather, it indicates that the
item either has not been through the IETF consensus process, has
limited applicability, or is intended only for specific use cases.
The addition of the "CR" to the "TLS 1.3" column for the
server_name(0) extension only marks the extension as valid in a
ClientCertificateRequest created as part of client-generated
authenticator requests.
0
server_name
CH, EE, CR
N
Y
1
max_fragment_length
CH, EE
N
N
2
client_certificate_url
-
N
Y
3
trusted_ca_keys
-
N
Y
4
truncated_hmac
-
N
N
IESG Action 2018-08-16
5
status_request
CH, CR, CT
N
Y
6
user_mapping
-
N
Y
7
client_authz
-
N
N
8
server_authz
-
N
N
9
cert_type
-
N
N
10
supported_groups (renamed from "elliptic_curves")
CH, EE
N
Y
11
ec_point_formats
-
N
Y
12
srp
-
N
N
13
signature_algorithms
CH, CR
N
Y
14
use_srtp
CH, EE
N
Y
15
heartbeat
CH, EE
N
Y
16
application_layer_protocol_negotiation
CH, EE
N
Y
17
status_request_v2
-
N
Y
18
signed_certificate_timestamp
CH, CR, CT
N
N
19
client_certificate_type
CH, EE
N
Y
20
server_certificate_type
CH, EE
N
Y
21
padding
CH
N
Y
22
encrypt_then_mac
-
N
Y
23
extended_master_secret
-
N
Y
24
token_binding
-
N
Y
25
cached_info
-
N
Y
26
tls_lts
-
N
N
27
compress_certificate
CH, CR
N
Y
28
record_size_limit
CH, EE
N
Y
29
pwd_protect
CH
N
N
30
pwd_clear
CH
N
N
31
password_salt
CH, SH, HRR
N
N
32
ticket_pinning
CH, EE
N
N
33
tls_cert_with_extern_psk
CH, SH
N
N
34
delegated_credential
CH, CR, CT
N
Y
35
session_ticket (renamed from "SessionTicket TLS")
-
N
Y
36
TLMSP
-
N
N
ETSI TS 103 523-2
37
TLMSP_proxying
-
N
N
ETSI TS 103 523-2
38
TLMSP_delegate
-
N
N
ETSI TS 103 523-2
39
supported_ekt_ciphers
CH, EE
N
Y
40
Reserved
tls-reg-review mailing list
41
pre_shared_key
CH, SH
N
Y
42
early_data
CH, EE, NST
N
Y
43
supported_versions
CH, SH, HRR
N
Y
44
cookie
CH, HRR
N
Y
45
psk_key_exchange_modes
CH
N
Y
46
Reserved
tls-reg-review mailing list
47
certificate_authorities
CH, CR
N
Y
48
oid_filters
CR
N
Y
49
post_handshake_auth
CH
N
Y
50
signature_algorithms_cert
CH, CR
N
Y
51
key_share
CH, SH, HRR
N
Y
52
transparency_info
CH, CR, CT
N
Y
53
connection_id (deprecated)
-
Y
N
54
connection_id
CH, SH
Y
N
55
external_id_hash
CH, EE
N
Y
56
external_session_id
CH, EE
N
Y
57
quic_transport_parameters
CH, EE
N
Y
58
ticket_request
CH, EE
N
Y
59
dnssec_chain
CH, CT
N
N
60
sequence_number_encryption_algorithms
CH, HRR, SH
Y
N
61
rrc
CH, SH
Y
N
62-2569
Unassigned
2570
Reserved
CH, CR, NST
N
N
2571-6681
Unassigned
6682
Reserved
CH, CR, NST
N
N
6683-10793
Unassigned
10794
Reserved
CH, CR, NST
N
N
10795-14905
Unassigned
14906
Reserved
CH, CR, NST
N
N
14907-19017
Unassigned
19018
Reserved
CH, CR, NST
N
N
19019-23129
Unassigned
23130
Reserved
CH, CR, NST
N
N
23131-27241
Unassigned
27242
Reserved
CH, CR, NST
N
N
27243-31353
Unassigned
31354
Reserved
CH, CR, NST
N
N
31355-35465
Unassigned
35466
Reserved
CH, CR, NST
N
N
35467-39577
Unassigned
39578
Reserved
CH, CR, NST
N
N
39579-43689
Unassigned
43690
Reserved
CH, CR, NST
N
N
43691-47801
Unassigned
47802
Reserved
CH, CR, NST
N
N
47803-51913
Unassigned
51914
Reserved
CH, CR, NST
N
N
51915-56025
Unassigned
56026
Reserved
CH, CR, NST
N
N
56027-60137
Unassigned
60138
Reserved
CH, CR, NST
N
N
60139-64249
Unassigned
64250
Reserved
CH, CR, NST
N
N
64251-64767
Unassigned
64768
ech_outer_extensions
CH
N
N
64769-65036
Unassigned
65037
encrypted_client_hello
CH, HRR, EE
N
N
65038-65279
Unassigned
65280
Reserved for Private Use
65281
renegotiation_info
-
N
Y
65282-65535
Reserved for Private Use
TLS Certificate Types
Transport Layer Security (TLS)
Specification Required
Yoav Nir, Rich Salz, Nick Sullivan
Registration requests should be sent to the mailing list described
in RFC 8447, Section 17. If approved, designated experts should
notify IANA within three weeks. For assistance, please contact
iana@iana.org.
The role of the designated expert is described in .
The designated expert ensures that the specification is
publicly available. It is sufficient to have an Internet-Draft
(that is posted and never published as an RFC) or a document from
another standards body, industry consortium, university site, etc.
The expert may provide more in-depth reviews, but their approval
should not be taken as an endorsement of the certificate type.
If an item is not marked as "Recommended", it does not
necessarily mean that it is flawed; rather, it indicates that
the item either has not been through the IETF consensus process,
has limited applicability, or is intended only for specific use
cases.
0
X509
Y
Was X.509 before TLS 1.3.
1
OpenPGP_RESERVED
N
Used in TLS versions prior to 1.3.
2
Raw Public Key
Y
3
1609Dot2
N
4-223
Unassigned
224-255
Reserved for Private Use
TLS Certificate Status Types
IETF Review
0
Reserved
1
ocsp
2
ocsp_multi_RESERVED
Used in TLS versions prior to 1.3.
3-255
Unassigned
TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs
Expert Review
Yoav Nir, Rich Salz, Nick Sullivan
Registration requests should be sent to the mailing list described
in RFC 8447, Section 17. If approved, designated experts should
notify IANA within three weeks. For assistance, please contact
iana@iana.org.
Reserved
0x0A 0x0A
Reserved
0x1A 0x1A
Reserved
0x2A 0x2A
Reserved
0x3A 0x3A
Reserved
0x4A 0x4A
Reserved
0x5A 0x5A
Reserved
0x6A 0x6A
Reserved
0x7A 0x7A
Reserved
0x8A 0x8A
Reserved
0x9A 0x9A
Reserved
0xAA 0xAA
Reserved
0xBA 0xBA
Reserved
0xCA 0xCA
Reserved
0xDA 0xDA
Reserved
0xEA 0xEA
Reserved
0xFA 0xFA
HTTP/0.9
0x68 0x74 0x74 0x70 0x2f 0x30 0x2e 0x39 ("http/0.9")
HTTP/1.0
0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x30 ("http/1.0")
HTTP/1.1
0x68 0x74 0x74 0x70 0x2f 0x31 0x2e 0x31 ("http/1.1")
SPDY/1
0x73 0x70 0x64 0x79 0x2f 0x31 ("spdy/1")
SPDY/2
0x73 0x70 0x64 0x79 0x2f 0x32 ("spdy/2")
SPDY/3
0x73 0x70 0x64 0x79 0x2f 0x33 ("spdy/3")
Traversal Using Relays around NAT (TURN)
0x73 0x74 0x75 0x6E 0x2E 0x74 0x75 0x72 0x6E ("stun.turn")
NAT discovery using Session Traversal Utilities for NAT (STUN)
0x73 0x74 0x75 0x6E 0x2E 0x6e 0x61 0x74 0x2d 0x64 0x69 0x73 0x63 0x6f 0x76 0x65 0x72 0x79 ("stun.nat-discovery")
HTTP/2 over TLS
0x68 0x32 ("h2")
HTTP/2 over TCP
0x68 0x32 0x63 ("h2c")
WebRTC Media and Data
0x77 0x65 0x62 0x72 0x74 0x63 ("webrtc")
Confidential WebRTC Media and Data
0x63 0x2d 0x77 0x65 0x62 0x72 0x74 0x63 ("c-webrtc")
FTP
0x66 0x74 0x70 ("ftp")
IMAP
0x69 0x6d 0x61 0x70 ("imap")
POP3
0x70 0x6f 0x70 0x33 ("pop3")
ManageSieve
0x6d 0x61 0x6e 0x61 0x67 0x65 0x73 0x69 0x65 0x76 0x65 ("managesieve")
CoAP (over TLS)
0x63 0x6f 0x61 0x70 ("coap")
CoAP (over DTLS)
0x63 0x6f ("co")
XMPP jabber:client namespace
0x78 0x6d 0x70 0x70 0x2d 0x63 0x6c 0x69 0x65 0x6e 0x74 ("xmpp-client")
XMPP jabber:server namespace
0x78 0x6d 0x70 0x70 0x2d 0x73 0x65 0x72 0x76 0x65 0x72 ("xmpp-server")
acme-tls/1
0x61 0x63 0x6d 0x65 0x2d 0x74 0x6c 0x73 0x2f 0x31 ("acme-tls/1")
OASIS Message Queuing Telemetry Transport (MQTT)
0x6d 0x71 0x74 0x74 (“mqtt”)
DNS-over-TLS
0x64 0x6F 0x74 ("dot")
Network Time Security Key Establishment, version 1
0x6E 0x74 0x73 0x6B 0x65 0x2F 0x31 ("ntske/1")
RFC8915, Section 4
SunRPC
0x73 0x75 0x6e 0x72 0x70 0x63 ("sunrpc")
HTTP/3
0x68 0x33 ("h3")
SMB2
0x73 0x6D 0x62 (“smb”)
IRC
0x69 0x72 0x63 ("irc")
NNTP (reading)
0x6E 0x6E 0x74 0x70 ("nntp")
NNTP (transit)
0x6E 0x6E 0x73 0x70 ("nnsp")
DoQ
0x64 0x6F 0x71 ("doq")
SIP
0x73 0x69 0x70 0x2f 0x32 ("sip/2")
TDS/8.0
0x74 0x64 0x73 0x2f 0x38 0x2e 0x30 ("tds/8.0")
[MS-TDS]: Tabular Data Stream Protocol
DICOM
0x64 0x69 0x63 0x6f 0x6d ("dicom")
This entry reserves an identifier for use within a cleartext version
of a protocol and is not allowed to appear in a TLS ALPN negotiation.
Only appears in inner CH.
TLS CachedInformationType Values
0-63
Standards Action
64-223
Specification Required
Yoav Nir, Rich Salz, Nick Sullivan
Requests for assignments from the registry's Specification
Required range should be sent to the mailing list described in
RFC 8447, Section 17. If approved, designated experts should
notify IANA within three weeks. For assistance, please contact
iana@iana.org.
0
Reserved
1
cert
2
cert_req
3-223
Unassigned
224-255
Reserved for Private Use
TLS Certificate Compression Algorithm IDs
1-255
IETF Review
256-16383
Specification Required
16384-65535
Experimental Use
Yoav Nir, Rich Salz, Nick Sullivan
Requests for assignments from the registry's Specification
Required range should be sent to the mailing list described in
RFC 8447, Section 17. If approved, designated experts should
notify IANA within three weeks. For assistance, please contact
iana@iana.org.
0
Reserved
1
zlib
2
brotli
3
zstd
4-16383
Unassigned
16384-65535
Reserved for Experimental Use