Welcome to the repository of documented cipher suite configurations. Understanding cipher suites is crucial for secure communication over networks. A cipher suite is a set of algorithms that the Transport Layer Security (TLS) protocol uses to establish a secure connection. This page details common and recommended configurations.
TLS 1.2 Recommended Suites
For modern applications still relying on TLS 1.2, these suites offer a good balance of security and compatibility. They generally prioritize robust key exchange mechanisms and strong encryption algorithms.
| Cipher Suite Name | Key Exchange | Encryption | Authentication | Notes |
|---|---|---|---|---|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE (Ephemeral Diffie-Hellman over Elliptic Curves) | AES-256-GCM | RSA | High security, Perfect Forward Secrecy (PFS) |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE | AES-256-GCM | ECDSA | Similar to above, using ECDSA for authentication |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE (Ephemeral Diffie-Hellman) | AES-256-GCM | RSA | Robust, but can be computationally intensive for key exchange |
TLS 1.3 Focus
TLS 1.3 significantly simplifies cipher suites by removing many legacy options and improving security and performance. In TLS 1.3, the client and server negotiate using a pre-defined set of mandatory cipher suites.
The following are the mandatory cipher suites in TLS 1.3, defined by RFC 8446:
| Cipher Suite Name | Key Exchange | Encryption | Integrity |
|---|---|---|---|
TLS_AES_256_GCM_SHA384 |
(Implicit in TLS 1.3 handshake) | AES-256-GCM | AES-GCM |
TLS_CHACHA20_POLY1305_SHA256 |
(Implicit in TLS 1.3 handshake) | ChaCha20-Poly1305 | ChaCha20-Poly1305 |
TLS_AES_128_GCM_SHA256 |
(Implicit in TLS 1.3 handshake) | AES-128-GCM | AES-GCM |
TLS 1.3 offers better performance due to its 0-RTT or 1-RTT handshake, and enhanced security by removing obsolete options.
Configuration Management
When configuring your servers (e.g., web servers, mail servers), you typically define a preference order for cipher suites. Modern best practice involves enabling strong TLS 1.3 suites first, followed by a curated list of secure TLS 1.2 suites.
Consider using tools like Mozilla's SSL Configuration Generator for server-specific recommendations.
For more details on network protocols, you might find information on HTTP Headers interesting.