1. Library
  2. Ssl and Tls
  3. Configuration

Choosing Cipher Suites

Updated 10 hours ago

Cipher suite selection is the part of TLS configuration where you decide what cryptography your server will actually use. Get it wrong, and your encrypted connections might as well be plaintext.

The good news: TLS 1.3 made this nearly impossible to mess up. The bad news: TLS 1.2 is still everywhere, and it has dozens of cipher suites—some secure, some dangerously broken.

TLS 1.3: The Easy Case

TLS 1.3 has only five cipher suites, and they're all good:

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256

Enable all of them. The hard decisions disappeared with TLS 1.2.

TLS 1.2: Where Choices Matter

TLS 1.2 cipher suites have four components, and each one can be secure or catastrophically broken:

Key Exchange: How the session key is established

  • ECDHE: Secure. Provides Perfect Forward Secrecy.
  • DHE: Secure if configured correctly (2048-bit minimum).
  • RSA: No forward secrecy. Compromise the private key, decrypt all past traffic.

Authentication: How the server proves its identity

  • ECDSA: Secure. Smaller, faster signatures.
  • RSA: Secure. More common certificates.

Encryption: How data is actually encrypted

  • AES-GCM: Secure. Fast with hardware acceleration.
  • ChaCha20-Poly1305: Secure. Fast without hardware acceleration.
  • AES-CBC: Problematic. Source of numerous vulnerabilities.
  • 3DES: Broken. Vulnerable to Sweet32 attack.
  • RC4: Completely broken. Never use.

Hash: Integrity verification

  • SHA-384, SHA-256: Secure.
  • SHA-1: Deprecated. Avoid.
  • MD5: Broken. Never use.

The Secure TLS 1.2 List

These cipher suites combine secure components:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256

That's it. Six cipher suites cover virtually all secure use cases. Everything uses ECDHE for forward secrecy and authenticated encryption (GCM or Poly1305).

Choose ECDSA variants if your certificate uses ECDSA. Choose RSA variants if your certificate uses RSA. Most sites use RSA certificates.

What to Disable

Explicitly disable these—they're not just old, they're dangerous:

CategoryWhy It's Broken
NULL encryptionNo encryption at all. The name is literal.
Anonymous DH (ADH)No authentication. Anyone can impersonate your server.
Export ciphersDeliberately weakened for 1990s US export laws. Trivially broken.
RC4Cryptographically shattered. Even RC4-128 is unsafe.
3DES64-bit blocks mean practical attacks after ~32GB of data.
MD5-basedHash collisions are cheap to compute.

Ordering: Put the Best First

Servers negotiate cipher suites in order of preference. Configure your server to:

  1. Use server preference rather than client preference
  2. Order by security and performance for your hardware

For servers with AES-NI (most modern x86):

1. ECDHE-ECDSA-AES256-GCM-SHA384
2. ECDHE-RSA-AES256-GCM-SHA384
3. ECDHE-ECDSA-AES128-GCM-SHA256
4. ECDHE-RSA-AES128-GCM-SHA256
5. ECDHE-ECDSA-CHACHA20-POLY1305
6. ECDHE-RSA-CHACHA20-POLY1305

For servers without AES hardware acceleration (some ARM, older systems):

1. ECDHE-ECDSA-CHACHA20-POLY1305
2. ECDHE-RSA-CHACHA20-POLY1305
3. ECDHE-ECDSA-AES256-GCM-SHA384
4. ECDHE-RSA-AES256-GCM-SHA384

ChaCha20 is implemented in software and runs fast everywhere. AES-GCM is only fast with hardware support.

Server Configuration

Nginx:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;

Apache:

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on

Mozilla's SSL Configuration Generator (ssl-config.mozilla.org) produces tested configurations for most web servers. Use the "Intermediate" profile for most sites.

Testing Your Configuration

SSL Labs (ssllabs.com/ssltest): Comprehensive analysis with a letter grade. Aim for A or A+.

OpenSSL command line:

openssl s_client -connect example.com:443 -tls1_2

Check which cipher suite was negotiated.

Browser DevTools: In the Security tab, verify connections use your preferred cipher suites.

Common Mistakes

Enabling weak ciphers "for compatibility": Clients old enough to need RC4 or 3DES are security liabilities. Supporting them endangers everyone else on your server. Modern browsers have supported strong cipher suites for over a decade.

Using old configurations: A configuration from 2015 might enable ciphers now considered broken. Review annually.

Ignoring server preference: If clients choose cipher suites, they might choose poorly. Your server should decide.

Enabling everything: More cipher suites means more attack surface. Six secure options is plenty.

Frequently Asked Questions About Cipher Suites

Was this page helpful?

😔
🤨
😃