TLS Cipher Suites Reference
Decode cipher suite names, see which are secure and which are deprecated. Modern recommendations.
What a cipher suite tells you
A TLS cipher suite is a list of cryptographic algorithms used together. A typical TLS 1.2 cipher suite name looks like:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Decoded:
- ECDHE โ key exchange (Elliptic Curve Diffie-Hellman Ephemeral). Forward secrecy.
- RSA โ authentication (server's cert uses RSA)
- AES_256_GCM โ symmetric cipher (256-bit AES, authenticated encryption)
- SHA384 โ hash for HMAC and key derivation
TLS 1.3 simplifies dramatically โ only AEAD cipher and hash, since key exchange and auth are negotiated separately:
TLS_AES_256_GCM_SHA384
Recommended modern cipher suites
| Cipher Suite | TLS | Why |
|---|---|---|
| TLS_AES_128_GCM_SHA256 | 1.3 | Mozilla "Modern" baseline. Fast on AES-NI hardware. |
| TLS_AES_256_GCM_SHA384 | 1.3 | Stronger margin. Default for many TLS 1.3 servers. |
| TLS_CHACHA20_POLY1305_SHA256 | 1.3 | Best for mobile / CPU without AES-NI. |
| ECDHE-ECDSA-AES128-GCM-SHA256 | 1.2 | ECDSA cert โ smaller, faster handshake. |
| ECDHE-RSA-AES256-GCM-SHA384 | 1.2 | Most common in production with RSA certs. |
| ECDHE-RSA-CHACHA20-POLY1305 | 1.2 | ChaCha20 alternative for mobile. |
Avoid (deprecated or broken)
| Cipher | Problem |
|---|---|
| Anything with RC4 | Broken โ biased keystream. Deprecated 2015. |
| Anything with DES or 3DES | Sweet32 attack practical. |
| Anything with EXPORT_ | Intentionally weakened. FREAK attack. |
| Anything with NULL_ | No encryption at all. |
| Anything with anon_ | No authentication. Vulnerable to MITM. |
| Anything with MD5 | Broken hash. |
| Static RSA key exchange (no DHE/ECDHE) | No forward secrecy. |
Components, in detail
Key exchange
| Algo | Status | Notes |
|---|---|---|
| ECDHE | โ Preferred | Elliptic-curve DH, ephemeral. Forward secrecy. |
| DHE | โ OK (slower) | Classical DH, ephemeral. Forward secrecy. |
| RSA | โ Avoid | Static key exchange. No forward secrecy. |
| PSK | Niche | Pre-shared key. Used in IoT, TLS 1.3 session resumption. |
Symmetric encryption
| Cipher | Status | Notes |
|---|---|---|
| AES-GCM (128 or 256) | โ Preferred | AEAD, hardware-accelerated. |
| ChaCha20-Poly1305 | โ Preferred | AEAD, fast without AES-NI (mobile). |
| AES-CBC | OK in TLS 1.2+ only | Padding oracle risk if not done carefully. |
| 3DES | โ Broken | Sweet32. 112-bit effective. |
| RC4 | โ Broken | Forbidden in modern TLS. |
Rule of thumb
If you're configuring TLS today, copy Mozilla's Intermediate config from wiki.mozilla.org/Security/Server_Side_TLS. Works for ~99% of clients, supports modern ciphers, audited. Don't roll your own list.