Picking strong TLS cipher suites
A TLS cipher suite bundles the algorithms used for a connection: the key-exchange method, the certificate authentication type, the bulk encryption cipher and the hash. This reference lists the common suites for TLS 1.3 and TLS 1.2 with their full IANA names, a forward-secrecy flag and a security rating so you can build a hardened server configuration.
How it works
In TLS 1.3 the cipher suite only names the AEAD cipher and hash — key exchange is always ephemeral and negotiated separately, so every 1.3 suite has forward secrecy. In TLS 1.2 the full suite name encodes all four parts:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
│ │ │ │
│ │ │ └─ hash (PRF / HMAC)
│ │ └───────────── bulk cipher + mode
│ └────────────────────── certificate auth (RSA / ECDSA)
└──────────────────────────── key exchange (ECDHE / DHE / RSA)
The server offers an ordered list; with server-cipher-order enabled it picks the
first suite both peers support. Rank AEAD suites (GCM, ChaCha20-Poly1305) with
ephemeral key exchange (ECDHE, DHE) first, and disable static-RSA, CBC-SHA1,
RC4 and 3DES suites entirely.
TLS 1.3 suite summary
TLS 1.3 defines exactly five cipher suites, all AEAD, all forward-secret. The three recommended suites are:
| IANA name | Cipher | Hash |
|---|---|---|
| TLS_AES_256_GCM_SHA384 | AES-256-GCM | SHA-384 |
| TLS_AES_128_GCM_SHA256 | AES-128-GCM | SHA-256 |
| TLS_CHACHA20_POLY1305_SHA256 | ChaCha20-Poly1305 | SHA-256 |
The remaining two (TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256) are for constrained IoT environments and should not be offered on general-purpose web servers.
Why certain TLS 1.2 suites are weak
| Suite type | Problem |
|---|---|
TLS_RSA_WITH_* (static RSA key exchange) | No forward secrecy — a stolen server key decrypts all past traffic |
*_WITH_RC4_* | RC4 has biased keystream; prohibited by RFC 7465 |
*_3DES_* | Vulnerable to Sweet32 birthday attack; ~64-bit block cipher |
*_WITH_AES_*_CBC_SHA | Padding oracle attacks (BEAST, Lucky13); deprecated in major browsers |
*_SHA without 256/384 | Uses SHA-1 for HMAC; weakened but not fully broken |
Any TLS 1.2 suite not using ECDHE (or DHE) for key exchange, and not using an AEAD cipher (GCM or ChaCha20), should be considered for removal from a production server configuration.
Practical configuration tips
- TLS 1.3 has only five suites and needs no manual ordering for most servers.
- For TLS 1.2, require
ECDHEso every session has forward secrecy. - Match Mozilla’s “Intermediate” or “Modern” SSL configuration as a baseline — the Mozilla SSL Config Generator produces ready-made nginx, Apache, and HAProxy configs.
- Verify a live endpoint with
testssl.shor the SSL Labs server test to confirm negotiated suites match your intent. - Disable
SSLv3,TLSv1.0, andTLSv1.1entirely on any server that does not need to support very old clients.