← All guides
Guide

Reading your TLS cipher suite list without getting lost

Published May 27, 2026. About a six-minute read.

A TLS cipher suite is the combination of cryptographic algorithms two computers agree to use for a single secure connection. The name looks intimidating, but it is just a structured label. Once you know which slot is which, every cipher suite name in your server config becomes legible.

Here is a typical TLS 1.2 cipher suite name:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

And here is a typical TLS 1.3 one:

TLS_AES_128_GCM_SHA256

The TLS 1.3 version is shorter because TLS 1.3 simplified the negotiation. Two of the four slots in a TLS 1.2 name are no longer chosen per-suite.

The four parts of a TLS 1.2 suite

Key exchange. How the two sides agree on a shared secret. ECDHE means elliptic-curve Diffie-Hellman ephemeral, which gives you forward secrecy. RSA in this slot (without the E for ephemeral) means the secret is encrypted to the server's RSA public key, which does not give you forward secrecy. Modern configs should only use ephemeral options.

Authentication. What kind of key the server uses to prove its identity. RSA here means the server has an RSA certificate. ECDSA means an elliptic-curve certificate. This is the part of the suite name that ties to your certificate's key algorithm.

Bulk cipher. The symmetric algorithm that encrypts the actual data once the handshake is done. AES_128_GCM means AES with a 128-bit key in Galois/Counter mode, which is an AEAD cipher (authenticated encryption with associated data). CHACHA20_POLY1305 is the modern alternative, faster on mobile devices without AES hardware acceleration. Anything with CBC in this slot is older, slower, and historically vulnerable to a family of padding-oracle attacks.

MAC (message authentication code). SHA256 or SHA384 are the hash algorithms used to verify message integrity. With AEAD bulk ciphers (GCM, ChaCha20-Poly1305) this slot is partly cosmetic. The integrity is built into the bulk cipher itself. With CBC bulk ciphers the MAC is doing real work, which is one reason CBC suites are slower.

Why TLS 1.3 names are shorter

TLS 1.3 fixed key exchange (always ephemeral Diffie-Hellman) and authentication (always the certificate's native algorithm) at the protocol level. So a TLS 1.3 suite only needs to specify the bulk cipher and the MAC.

The full TLS 1.3 list is small:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256 (rarely used)
  • TLS_AES_128_CCM_8_SHA256 (rarely used)

The first three are what every modern client supports. The CCM variants exist for very constrained devices.

What to keep, what to disable

The safe-defaults shortlist for a public web server in 2026:

  • All three common TLS 1.3 suites (AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305).
  • ECDHE key exchange with ECDSA or RSA authentication, using an AEAD bulk cipher (AES-GCM or ChaCha20-Poly1305) and SHA-256 or SHA-384.

What to disable:

  • Any suite with CBC in the bulk cipher slot. CBC in TLS 1.0 and 1.1 is vulnerable to BEAST and related attacks. CBC in TLS 1.2 with proper implementation is safer but still slower and offers no advantage over AEAD.
  • Any suite with RSA in the key-exchange slot (no E). This is non-ephemeral RSA key exchange, which loses forward secrecy. If your server's RSA private key is ever recovered, every past recorded session can be decrypted.
  • Anything with NULL, EXPORT, DES, 3DES, RC4, or MD5. These are historical and broken.
  • The CCM variants of TLS 1.3 unless you have a specific constrained-device reason to keep them.

A reasonable starting config

For nginx 1.25+ or Apache 2.4 with a modern OpenSSL:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

The TLS 1.3 suites are negotiated separately and are enabled by default in modern OpenSSL builds. The directive above controls the TLS 1.2 list, which is the part that matters for older clients you are still willing to serve.

Mozilla maintains a config generator at ssl-config.mozilla.org that produces ready-to-paste configs for every common web server, with three compatibility tiers (modern, intermediate, old). The intermediate tier is the right default for almost every public site.

How to inspect what your server actually serves

The fastest local check:

openssl s_client -connect yourdomain.com:443 -tls1_2 -cipher "ECDHE+AESGCM" < /dev/null 2>/dev/null | grep -E "Cipher|Protocol"

Or run a full scan via SecureMonk or SSL Labs and read the negotiated-suites section. Either tool will tell you exactly which protocols and suites your server is currently offering, including the ones you forgot to turn off.