Cipher Suites & Protocol Versions

Chapter 8
Cipher Suites & Protocol Versions
Decoding the strings, and deciding what to enable or disable

A cipher suite is the specific combination of algorithms a TLS connection agrees to use. The intimidating strings you see in openssl output or an SSL Labs report are just those algorithm choices spelled out. Once you can read them, configuring a server's security becomes a matter of knowing which to allow — this chapter teaches both.

Anatomy of a TLS 1.2 Cipher Suite

A 1.2 suite name bundles four decisions, read left to right:

ECDHE-RSA-AES128_GCM-SHA256
Key exchange
ECDHE — how the shared secret is agreed. The E = ephemeral → forward secrecy (Ch. 3).
Authentication
RSA — the algorithm of the certificate's key, used to sign and prove identity (Ch. 4).
Bulk cipher
AES128-GCM — the symmetric AEAD cipher encrypting the actual data (Ch. 2).
Hash / PRF
SHA256 — the hash used for key derivation and the handshake MAC.

So ECDHE-RSA-AES128-GCM-SHA256 reads as: "agree the key with ephemeral elliptic-curve Diffie–Hellman, authenticate the server with its RSA certificate, encrypt data with 128-bit AES in GCM mode, and use SHA-256 for hashing." Every piece is a concept from earlier chapters, now named in one line.

Read the first two segments to judge security at a glance
The two things to check first are the key exchange and the cipher mode. Want forward secrecy? The key exchange must be ECDHE or DHE (has the ephemeral "E") — a suite starting with plain RSA (RSA key transport) or AES…-CBC instead of GCM is a red flag. If you see ECDHE at the front and GCM (or CHACHA20-POLY1305) for the cipher, it's a modern, safe suite.

TLS 1.3 Suites Are Shorter — On Purpose

As Chapter 7 introduced, TLS 1.3 negotiates key exchange and authentication separately, so a 1.3 cipher suite names only the bulk AEAD cipher + hash:

# the entire list of TLS 1.3 cipher suites — just five TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256

There's no weak choice to make — key exchange is always ephemeral (EC)DHE and the cipher is always AEAD, so those decisions aren't even in the string. This is why the giant menu of TLS 1.2 suites (hundreds, many insecure) shrinks to five solid options in 1.3. In practice the top three are what you'll see; ChaCha20-Poly1305 is preferred on devices without AES hardware acceleration (most phones) because it's fast in pure software.

AES-GCM vs ChaCha20-Poly1305

Both are modern AEAD ciphers (confidentiality + integrity in one, Chapter 2) and both are secure. The choice is about performance, not safety:

CipherBest whenNotes
AES-GCMCPU has AES hardware (AES-NI) — most desktops/serversextremely fast with hardware acceleration
ChaCha20-Poly1305no AES hardware — many mobile/low-power devicesfast and constant-time in pure software

Protocol Versions: What to Enable and Disable

Separate from cipher suites is the protocol version. The guidance today is simple and worth memorizing:

VersionStatusAction
SSL 2.0 / 3.0badly broken (POODLE)disable — never enable
TLS 1.0 / 1.1deprecated (2021); weak cryptodisable
TLS 1.2secure if well configuredenable (for compatibility)
TLS 1.3current bestenable (preferred)

The modern baseline is: support TLS 1.2 and 1.3, disable everything older. TLS 1.0/1.1 were officially deprecated in 2021 and browsers show warnings for them. You keep 1.2 only because some older clients can't do 1.3 yet; everything below 1.2 is a liability with no upside.

On TLS 1.2, cipher ORDER and selection still matter — on 1.3, barely
Because TLS 1.2 still permits weaker suites, a misconfigured 1.2 server can negotiate something bad. So on 1.2 you must curate the suite list: prefer ECDHE + GCM/ChaCha20, and explicitly exclude RSA key transport, CBC-mode, RC4, 3DES, and anything "EXPORT" or "NULL". On TLS 1.3 this worry largely evaporates — all five suites are safe, so there's little to misconfigure. This is the practical reward of 1.3's "removed the choices" design (Chapter 7): the surface for getting cipher config wrong is tiny.

Inspecting What a Server Actually Offers

You don't have to guess a server's configuration — you can enumerate it. nmap's ssl-enum-ciphers script is the most readable tool, grading each suite:

nmap --script ssl-enum-ciphers -p 443 example.com | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 - A | least strength: A

Each suite gets a letter grade; you want all A's with no C/F entries and no TLS 1.0/1.1 sections at all. The same information underlies the SSL Labs report you'll use in Chapter 10. Reading this output is now entirely within reach — every field maps to a concept from the last six chapters.

Hands-On Exercises

Exercise 1

Take the suite ECDHE-ECDSA-AES256-GCM-SHA384 and decode all four parts (key exchange, authentication, bulk cipher, hash). State which guarantee each part contributes, and whether this suite provides forward secrecy.

📄 View solution
Exercise 2

Use openssl ciphers -v 'ECDHE+AESGCM' to list matching suites, then run nmap --script ssl-enum-ciphers against a real site. Identify the protocol versions it supports and whether any weak suite or deprecated version is present.

📄 View solution
Exercise 3

Given these four suites, classify each as MODERN-SAFE or AVOID and justify: (a) TLS_AES_128_GCM_SHA256; (b) ECDHE-RSA-AES128-GCM-SHA256; (c) AES256-SHA (i.e. RSA kex, CBC); (d) ECDHE-RSA-RC4128-SHA. State the single biggest problem with each "avoid" one.

📄 View solution

Chapter 8 Quick Reference

  • A cipher suite = the agreed combination of algorithms for a connection
  • TLS 1.2 suite = key exchange – authentication – bulk cipher – hash (e.g. ECDHE-RSA-AES128-GCM-SHA256)
  • Check the first two segments: ECDHE/DHE = forward secrecy; GCM/ChaCha20 = modern AEAD
  • TLS 1.3 suite = just AEAD cipher + hash (e.g. TLS_AES_128_GCM_SHA256) — only five exist, all safe
  • AES-GCM (fast with AES hardware) vs ChaCha20-Poly1305 (fast in software, mobile) — both secure
  • Versions: enable TLS 1.2 + 1.3, disable SSL 2/3 and TLS 1.0/1.1 (deprecated 2021)
  • On 1.2 curate the suite list (exclude RSA-kex, CBC, RC4, 3DES, EXPORT, NULL); on 1.3 there's little to misconfigure
  • Audit with nmap --script ssl-enum-ciphers or openssl ciphers -v — aim for all A's, no weak entries
  • Next chapter: getting a certificate — CSRs, domain validation, Let's Encrypt & ACME