TLS Cipher Suite Reference

TLS 1.2 and 1.3 cipher suites with security rating.

Reference of TLS 1.3 and TLS 1.2 cipher suites with full IANA name, key exchange, authentication, bulk cipher, hash, forward-secrecy flag and a security rating, plus a live filter. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How many cipher suites does TLS 1.3 define?

Five: TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. All use AEAD ciphers and always provide forward secrecy because the key exchange is always ephemeral.

Picking strong TLS cipher suites

A TLS cipher suite bundles the algorithms used for a connection: the key-exchange method, the certificate authentication type, the bulk encryption cipher and the hash. This reference lists the common suites for TLS 1.3 and TLS 1.2 with their full IANA names, a forward-secrecy flag and a security rating so you can build a hardened server configuration.

How it works

In TLS 1.3 the cipher suite only names the AEAD cipher and hash — key exchange is always ephemeral and negotiated separately, so every 1.3 suite has forward secrecy. In TLS 1.2 the full suite name encodes all four parts:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     │     │        │           │
     │     │        │           └─ hash (PRF / HMAC)
     │     │        └───────────── bulk cipher + mode
     │     └────────────────────── certificate auth (RSA / ECDSA)
     └──────────────────────────── key exchange (ECDHE / DHE / RSA)

The server offers an ordered list; with server-cipher-order enabled it picks the first suite both peers support. Rank AEAD suites (GCM, ChaCha20-Poly1305) with ephemeral key exchange (ECDHE, DHE) first, and disable static-RSA, CBC-SHA1, RC4 and 3DES suites entirely.

TLS 1.3 suite summary

TLS 1.3 defines exactly five cipher suites, all AEAD, all forward-secret. The three recommended suites are:

IANA nameCipherHash
TLS_AES_256_GCM_SHA384AES-256-GCMSHA-384
TLS_AES_128_GCM_SHA256AES-128-GCMSHA-256
TLS_CHACHA20_POLY1305_SHA256ChaCha20-Poly1305SHA-256

The remaining two (TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256) are for constrained IoT environments and should not be offered on general-purpose web servers.

Why certain TLS 1.2 suites are weak

Suite typeProblem
TLS_RSA_WITH_* (static RSA key exchange)No forward secrecy — a stolen server key decrypts all past traffic
*_WITH_RC4_*RC4 has biased keystream; prohibited by RFC 7465
*_3DES_*Vulnerable to Sweet32 birthday attack; ~64-bit block cipher
*_WITH_AES_*_CBC_SHAPadding oracle attacks (BEAST, Lucky13); deprecated in major browsers
*_SHA without 256/384Uses SHA-1 for HMAC; weakened but not fully broken

Any TLS 1.2 suite not using ECDHE (or DHE) for key exchange, and not using an AEAD cipher (GCM or ChaCha20), should be considered for removal from a production server configuration.

Practical configuration tips

  • TLS 1.3 has only five suites and needs no manual ordering for most servers.
  • For TLS 1.2, require ECDHE so every session has forward secrecy.
  • Match Mozilla’s “Intermediate” or “Modern” SSL configuration as a baseline — the Mozilla SSL Config Generator produces ready-made nginx, Apache, and HAProxy configs.
  • Verify a live endpoint with testssl.sh or the SSL Labs server test to confirm negotiated suites match your intent.
  • Disable SSLv3, TLSv1.0, and TLSv1.1 entirely on any server that does not need to support very old clients.