← Back to TLS Topics

TLS Cipher Suites

Understanding cipher suites and how to configure them for optimal security. GCM, ECDHE, and Nginx/Apache configuration.

TLS Cipher Suites


Cipher suites determine how data is encrypted in TLS connections. Choosing the right cipher suites is essential for security and performance.


What Are Cipher Suites?


A cipher suite specifies:

  • Key exchange algorithm
  • Authentication algorithm
  • Encryption algorithm
  • Message authentication code (MAC)

    • Recommended Cipher Suites


    **TLS 1.3**: Only secure cipher suites are available

    **TLS 1.2**: Prioritize:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

    • Avoid These Ciphers


  • RC4 (vulnerable)
  • DES, 3DES (weak)
  • MD5, SHA1 (deprecated)
  • Anonymous ciphers
  • Export-grade ciphers

    • Configuration Examples


    Nginx

    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';

    ssl_prefer_server_ciphers on;


    Apache

    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

    SSLHonorCipherOrder on

    Key Points

    • Cipher suites define encryption methods
    • TLS 1.3 only includes secure ciphers
    • Prioritize GCM cipher modes
    • Use ECDHE for key exchange
    • Test cipher configuration regularly

    Best Practices

    • Use modern cipher suites only
    • Prioritize server cipher preferences
    • Test with SSL Labs
    • Monitor cipher usage
    • Document cipher configuration

    Common Issues

    • Weak cipher suites enabled
    • Not prioritizing server preferences
    • Missing cipher configuration
    • Incompatible client support
    • Performance issues from weak ciphers

    Related Topics

    ProtocolsCertificatesPerformance

    Test Your TLS Configuration

    Run a free security scan to analyze your TLS/SSL configuration and get recommendations.