← Back to TLS Topics

TLS Cipher Suites

Understanding cipher suites and how to configure them for optimal security.

TLS Cipher Suites


Cipher suites determine how data is encrypted in TLS connections. Choosing the right cipher suites is essential for security and performance.


What Are Cipher Suites?


A cipher suite specifies:

  • Key exchange algorithm
  • Authentication algorithm
  • Encryption algorithm
  • Message authentication code (MAC)

    • Recommended Cipher Suites


    **TLS 1.3**: Only secure cipher suites are available

    **TLS 1.2**: Prioritize:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

    • Avoid These Ciphers


  • RC4 (vulnerable)
  • DES, 3DES (weak)
  • MD5, SHA1 (deprecated)
  • Anonymous ciphers
  • Export-grade ciphers

    • Configuration Examples


    Nginx

    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';

    ssl_prefer_server_ciphers on;


    Apache

    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

    SSLHonorCipherOrder on

    Key Points

    • Cipher suites define encryption methods
    • TLS 1.3 only includes secure ciphers
    • Prioritize GCM cipher modes
    • Use ECDHE for key exchange
    • Test cipher configuration regularly

    Best Practices

    • Use modern cipher suites only
    • Prioritize server cipher preferences
    • Test with SSL Labs
    • Monitor cipher usage
    • Document cipher configuration

    Common Issues

    • Weak cipher suites enabled
    • Not prioritizing server preferences
    • Missing cipher configuration
    • Incompatible client support
    • Performance issues from weak ciphers

    Related Topics

    ProtocolsCertificatesPerformance

    Test Your TLS Configuration

    Run a free security scan to analyze your TLS/SSL configuration and get recommendations.