A Guide to FIPS-Approved TLS 1.2 Cipher Suites | SafeLogic

Written by Aryeh Archer | Apr 14, 2026 10:50:56 PM

Navigating the FIPS-approved algorithms for a specific TLS use case can be complex. In this two-part blog series, I’ll outline how TLS cipher suites align with current FIPS-approved algorithms and how evolving approvals impact those mappings. The first blog post in this series focuses on defining approved algorithms and TLS 1.2, while the second addresses FIPS-approved algorithms for TLS 1.3.

Background: Identifying FIPS-Approved Algorithms

A common question from our customers is which TLS cipher suites they can use while using only FIPS-approved algorithms.

This question is especially complicated due to the dynamic nature of FIPS-approved algorithms. There is not a single set of approved algorithms for FIPS 140-3 (or FIPS 140-2). Instead, new approved algorithms are added to the FIPS 140 standards over time, while older approved algorithms are transitioned out. Therefore, newer validations can include algorithms that were not an option for older validations. Likewise, recent algorithm transitions have “grandfathered in” validations with algorithms that are no longer acceptable in newer FIPS validations.

Keep in mind that FIPS certificates have a 5-year lifetime; after 5 years, they will sunset if they have not been updated to meet the latest FIPS standard. Additionally, validated modules meet the guidance in effect at the time they were submitted to the CMVP, not the guidance in effect at the time of their publication. All of this means that there can be significant differences between which algorithms are classified as approved across different active FIPS validations.

For simplicity, this blog post lists only algorithms that are currently FIPS-approved (as of April 1, 2026) and applicable to TLS 1.2 cipher suites. It does not list algorithms that are no longer approved for new FIPS validations. However, if you’re using an older FIPS 140-2 or FIPS 140-3 module with a validation that is still “active” and not “sunset,” then any approved algorithm from that module remains FIPS approved.

Approved Algorithms in TLS 1.2 Cipher Suites

The table below lists the current FIPS 140-3-approved algorithms for each component of the TLS 1.2 cipher suites. The “TLS 1.2 Algorithms” column only lists the TLS 1.2 algorithms for which corresponding FIPS 140-3 approved algorithms exist.

Cipher Suite Component	TLS 1.2 Algorithms	FIPS 140-3 Approved Algorithms
Key Exchange Algorithm	ECDHE, ECDH Secp curves	SP 800-56Ar3 conformant KAS-ECC-SSC FIPS 186-5 P-curves
Key Exchange Algorithm	DHE, DH Ad hoc primes Safe primes	SP 800-56Ar3 conformant KAS-FFC-SSC FIPS 186-4 type primes Safe primes per SP 800-56Ar3 Appendix D
Signing Algorithm	ECDSA Secp curves	FIPS 186-5 conformant ECDSA FIPS 186-5 P-curves
Signing Algorithm	RSA PKCS#1 v1.5	FIPS 186-5 conformant RSA PKCS 1.5
Encryption Algorithm	AES_128_GCM AES_256_GCM AES_128_CCM AES_256_CCM AES_128_CCM_8 AES_128_CBC AES_256_CBC	AES-GCM (128 bits) AES-GCM (256 bits) AES-CCM (128 bits) AES-CCM (256 bits) AES-CCM (128, 8-byte tag) AES-CBC (128 bits)* AES-CBC (256 bits)***
Hash Algorithm (for PRF/KDF)	SHA256 SHA384	SHA-256, SHA-384 with TLS v1.2 KDF using the extended master secret per RFC 7627 (not RFC 5246)

*Signing algorithms should use hashes with the same security strength.

**AES-CCM with an 8-byte tag can be used, but is weaker.

***AES-CBC does not provide authentication. It must be used with HMAC-SHA-256 or HMAC-SHA-384 for authentication.

TLS 1.2 Cipher Suites with only Approved Algorithms

The approved algorithms listed above can be used in various cipher suites. Below is a list of cipher suites that only use FIPS-approved algorithms. This list is based on NIST SP 800-52r2 section 3.3.1.1, with updates to reflect currently approved algorithms. (Note that although NIST SP 800-52r2 was published before FIPS 140-3, its recommendations can be applied to both FIPS 140-2 and FIPS 140-3 modules after accounting for which algorithms were approved at the time of the module submission to the CMVP.)

For choosing the cipher suites with the strongest security, NIST SP 800-52r2 also provides the following recommendations. The cipher suites below are ordered according to these NIST recommendations.

Prefer ephemeral keys over static keys, as static keys do not provide forward secrecy
Prefer GCM or CCM modes over CBC mode, as CBC modes require a separate HMAC for authentication and do not provide integrated authenticated encryption
Prefer CCM over CCM_8, as CCM_8 has a reduced tag strength

NIST preferred cipher suites (which meet all the criteria above) are listed below in bold.

Ephemeral Key Cipher Suites

TLS 1.2 Cipher Suites for ECDHE with ECDSA

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC0, 0x2B)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x2C)
TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xC0, 0xAC)
TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xC0, 0xAD)
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xC0, 0xAE)
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xC0, 0xAF)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC0, 0x23)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC0, 0x24)

TLS 1.2 Cipher Suites for ECDHE with RSA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC0, 0x2F)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x30)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC0, 0x27)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC0, 0x28)

TLS 1.2 Cipher Suites for DHE with RSA

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x00, 0x9E)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x00, 0x9F)
TLS_DHE_RSA_WITH_AES_128_CCM (0xC0, 0x9E)
TLS_DHE_RSA_WITH_AES_256_CCM (0xC0, 0x9F)
TLS_DHE_RSA_WITH_AES_128_CCM_8 (0xC0, 0xA2)
TLS_DHE_RSA_WITH_AES_256_CCM_8 (0xC0, 0xA3)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x00, 0x67)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x00, 0x6B)

Static Key Cipher Suites

TLS 1.2 Cipher Suites for ECDH with ECDSA

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xC0, 0x2D)
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x2E)
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xC0, 0x25)
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xC0, 0x26)

TLS 1.2 Cipher Suites for ECDH with RSA

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xC0, 0x31)
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x32)
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xC0, 0x29)
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xC0, 0x2A)

TLS 1.2 Cipher Suites for DH with RSA

TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00, 0xA0)
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00, 0xA1)
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x00, 0x3F)
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x00, 0x69)

Conclusion

Implementing TLS in a FIPS context is less about memorizing cipher suite names and more about understanding how each component maps to currently approved algorithms, and how that mapping can shift over time. I hope this blog makes that relationship explicit and gives you a clear baseline for what “FIPS-approved” means as of today for TLS 1.2 algorithms.

In my next post, I’ll apply the same approach to TLS 1.3 and walk through how to determine which TLS 1.3 cipher suites meet today’s FIPS-approved algorithm requirements.

SafeLogic CryptoComply validated that FIPS modules already implement the approved algorithms listed above, making it straightforward to deploy TLS 1.2 configurations that meet these requirements without having to track these moving pieces yourself.

If you’re relying on a FIPS 140-2 module, be aware that on September 21, 2026, the CMVP will move all remaining active FIPS 140-2 certificates to the historical status. After this transition, FIPS 140-2 certificates will no longer be acceptable for most federal use cases. Our RapidCert validations provide a path to FIPS 140-3 compliance, supporting the approved TLS algorithms discussed above and enabling certification in your company’s name within 3 months across a wide range of platforms (including Linux, UNIX, Windows, macOS, Android, and iOS).

View full post