TLS Cipher Suite Reference

Browse TLS 1.2 and 1.3 cipher suites with security rating and key exchange.

Searchable TLS cipher suite reference mapping each IANA name to its OpenSSL name, key exchange, authentication, cipher and MAC, with a security rating reflecting modern Mozilla and NIST guidance. Bundled offline. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Why do TLS 1.3 cipher suite names look different?

TLS 1.3 decoupled key exchange and authentication from the cipher suite, so a name like TLS_AES_256_GCM_SHA384 only names the AEAD cipher and hash. Key exchange is always ephemeral (forward-secret) and the certificate's key type provides authentication.

A TLS cipher suite is the bundle of algorithms a client and server agree on for a connection: how they exchange keys, how they authenticate, which symmetric cipher protects the data and how integrity is checked. Picking strong suites — and disabling broken ones — is one of the highest-leverage steps in securing HTTPS. This reference maps each IANA suite to its OpenSSL name and rates it against modern guidance.

Why IANA names and OpenSSL names differ

The IANA registry is the authoritative source of truth, and its names follow a systematic TLS_<KeyExchange>_<Auth>_WITH_<Cipher>_<Hash> pattern. OpenSSL uses its own shorter naming scheme that predates the IANA format. The same cipher suite appears as two different strings depending on context: IANA names appear in RFC documents and protocol analyzers like Wireshark; OpenSSL names appear in server config files. This reference shows both so you can map between them without guesswork.

For example:

  • IANA: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • OpenSSL: ECDHE-RSA-AES256-GCM-SHA384

How it works

In TLS 1.2 a suite name spells out all four parts, for example TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: ECDHE key exchange, RSA authentication, AES-256-GCM cipher, SHA384 for the PRF. TLS 1.3 simplified this — suites such as TLS_AES_128_GCM_SHA256 name only the AEAD cipher and hash, because key exchange is always ephemeral and authentication comes from the certificate.

The rating column follows current best practice: AEAD ciphers (GCM, ChaCha20-Poly1305) with forward secrecy (ECDHE/DHE) are recommended; CBC and static-RSA suites are weak; and 3DES, RC4 and NULL are insecure and should be removed.

A solid configuration supports TLS 1.3 and a limited subset of TLS 1.2:

TLS 1.3: TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256,
         TLS_CHACHA20_POLY1305_SHA256
TLS 1.2: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
         ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256

This set maintains compatibility with nearly all modern clients while dropping every weak and insecure suite.

What to remove and why

Pattern to removeReason
RC4Biased keystream; practically attackable; prohibited by RFC 7465
3DES / DES-CBC3Sweet32 birthday attack on connections with large data volumes
NULLNo encryption — data is sent in plaintext
Anonymous (aNULL)No server authentication — trivial man-in-the-middle
Static RSA (kRSA)No forward secrecy; server key compromise decrypts old sessions
Bare AES-CBC suitesPadding-oracle vulnerability (POODLE, BEAST, Lucky13)

Use the protocol filter in this reference to confirm a suite is valid for the TLS version you are configuring — TLS 1.3 will never negotiate a TLS 1.2 CBC suite regardless of what your config says.

AES-GCM vs ChaCha20-Poly1305

Both are modern AEAD ciphers and both receive a “secure” rating. The practical difference is hardware: AES-GCM is fastest on CPUs with AES-NI instructions (virtually all server hardware and recent laptops). ChaCha20-Poly1305 is faster and constant-time on hardware without AES-NI, such as lower-end mobile devices. Offering both lets TLS negotiate the best fit per client.