Cipher Suites & Protocol Versions
A cipher suite is the specific combination of algorithms a TLS connection agrees to use. The intimidating strings you see in openssl output or an SSL Labs report are just those algorithm choices spelled out. Once you can read them, configuring a server's security becomes a matter of knowing which to allow — this chapter teaches both.
Anatomy of a TLS 1.2 Cipher Suite
A 1.2 suite name bundles four decisions, read left to right:
So ECDHE-RSA-AES128-GCM-SHA256 reads as: "agree the key with ephemeral elliptic-curve Diffie–Hellman, authenticate the server with its RSA certificate, encrypt data with 128-bit AES in GCM mode, and use SHA-256 for hashing." Every piece is a concept from earlier chapters, now named in one line.
RSA (RSA key transport) or AES…-CBC instead of GCM is a red flag. If you see ECDHE at the front and GCM (or CHACHA20-POLY1305) for the cipher, it's a modern, safe suite.
TLS 1.3 Suites Are Shorter — On Purpose
As Chapter 7 introduced, TLS 1.3 negotiates key exchange and authentication separately, so a 1.3 cipher suite names only the bulk AEAD cipher + hash:
There's no weak choice to make — key exchange is always ephemeral (EC)DHE and the cipher is always AEAD, so those decisions aren't even in the string. This is why the giant menu of TLS 1.2 suites (hundreds, many insecure) shrinks to five solid options in 1.3. In practice the top three are what you'll see; ChaCha20-Poly1305 is preferred on devices without AES hardware acceleration (most phones) because it's fast in pure software.
AES-GCM vs ChaCha20-Poly1305
Both are modern AEAD ciphers (confidentiality + integrity in one, Chapter 2) and both are secure. The choice is about performance, not safety:
| Cipher | Best when | Notes |
|---|---|---|
| AES-GCM | CPU has AES hardware (AES-NI) — most desktops/servers | extremely fast with hardware acceleration |
| ChaCha20-Poly1305 | no AES hardware — many mobile/low-power devices | fast and constant-time in pure software |
Protocol Versions: What to Enable and Disable
Separate from cipher suites is the protocol version. The guidance today is simple and worth memorizing:
| Version | Status | Action |
|---|---|---|
| SSL 2.0 / 3.0 | badly broken (POODLE) | disable — never enable |
| TLS 1.0 / 1.1 | deprecated (2021); weak crypto | disable |
| TLS 1.2 | secure if well configured | enable (for compatibility) |
| TLS 1.3 | current best | enable (preferred) |
The modern baseline is: support TLS 1.2 and 1.3, disable everything older. TLS 1.0/1.1 were officially deprecated in 2021 and browsers show warnings for them. You keep 1.2 only because some older clients can't do 1.3 yet; everything below 1.2 is a liability with no upside.
Inspecting What a Server Actually Offers
You don't have to guess a server's configuration — you can enumerate it. nmap's ssl-enum-ciphers script is the most readable tool, grading each suite:
Each suite gets a letter grade; you want all A's with no C/F entries and no TLS 1.0/1.1 sections at all. The same information underlies the SSL Labs report you'll use in Chapter 10. Reading this output is now entirely within reach — every field maps to a concept from the last six chapters.
Hands-On Exercises
Take the suite ECDHE-ECDSA-AES256-GCM-SHA384 and decode all four parts (key exchange, authentication, bulk cipher, hash). State which guarantee each part contributes, and whether this suite provides forward secrecy.
Use openssl ciphers -v 'ECDHE+AESGCM' to list matching suites, then run nmap --script ssl-enum-ciphers against a real site. Identify the protocol versions it supports and whether any weak suite or deprecated version is present.
Given these four suites, classify each as MODERN-SAFE or AVOID and justify: (a) TLS_AES_128_GCM_SHA256; (b) ECDHE-RSA-AES128-GCM-SHA256; (c) AES256-SHA (i.e. RSA kex, CBC); (d) ECDHE-RSA-RC4128-SHA. State the single biggest problem with each "avoid" one.
Chapter 8 Quick Reference
- A cipher suite = the agreed combination of algorithms for a connection
- TLS 1.2 suite = key exchange – authentication – bulk cipher – hash (e.g. ECDHE-RSA-AES128-GCM-SHA256)
- Check the first two segments: ECDHE/DHE = forward secrecy; GCM/ChaCha20 = modern AEAD
- TLS 1.3 suite = just AEAD cipher + hash (e.g. TLS_AES_128_GCM_SHA256) — only five exist, all safe
- AES-GCM (fast with AES hardware) vs ChaCha20-Poly1305 (fast in software, mobile) — both secure
- Versions: enable TLS 1.2 + 1.3, disable SSL 2/3 and TLS 1.0/1.1 (deprecated 2021)
- On 1.2 curate the suite list (exclude RSA-kex, CBC, RC4, 3DES, EXPORT, NULL); on 1.3 there's little to misconfigure
- Audit with
nmap --script ssl-enum-ciphersoropenssl ciphers -v— aim for all A's, no weak entries - Next chapter: getting a certificate — CSRs, domain validation, Let's Encrypt & ACME