â Back to Table of Contents
Choosing Cipher Suites:
Avoid and Prefer
Configuring cipher suites is one of the most impactful security
decisions you make when setting up a TLS server. The wrong choices can
leave you vulnerable to known attacks. The right choices give you strong
encryption with forward secrecy.
Avoid (Disable These)
These should be disabled on every server:
- NULL ciphers: No encryption at all. Data is sent in
plain text. Exists for debugging only.
- Export ciphers: Deliberately weakened encryption
(40-bit or 56-bit keys) from the 1990s US export restrictions. Trivially
breakable.
- DES and 3DES: DES has a 56-bit key (breakable in
hours). 3DES is slow and has a 64-bit block size that leads to the
Sweet32 attack.
- RC4: A stream cipher with known biases. Deprecated
by RFC 7465.
- MD5 for signatures: Collision attacks make MD5
signatures forgeable.
- SHA-1 for signatures: Collision attacks
demonstrated in 2017 (SHAttered).
- Static RSA key exchange: No forward secrecy.
Removed in TLS 1.3.
- CBC mode ciphers: Vulnerable to padding oracle
attacks. Use AEAD ciphers (GCM or ChaCha20-Poly1305) instead.
Prefer (Use These)
- TLS_AES_256_GCM_SHA384 (TLS 1.3)
- TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
- TLS_AES_128_GCM_SHA256 (TLS 1.3)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (TLS
1.2)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS
1.2)
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (TLS
1.2)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (TLS
1.2)
Every cipher suite in this list uses ECDHE (forward secrecy) and AEAD
encryption (GCM or ChaCha20-Poly1305). If you only enable these, youâre
covered.
Server Preference vs
Client Preference
When the client sends its list of supported cipher suites, the server
can either:
- Honor server preference: The server picks the first
cipher suite from its own ordered list that the client also supports.
This ensures the serverâs preferred (strongest) cipher is used.
- Honor client preference: The server picks the first
cipher suite from the clientâs list that the server also supports.
Server preference is recommended. It gives you control over which
cipher suite is selected.
testssl.sh: A comprehensive command-line tool that
tests a serverâs TLS configuration, including cipher suites, protocols,
vulnerabilities, and certificate details.
nmap:
nmap --script ssl-enum-ciphers -p 443 example.com lists all
cipher suites a server supports.
SSL Labs (ssllabs.com): A web-based tool by Qualys
that grades your TLS configuration from A+ to F. Aim for A or A+.
Mozilla SSL Configuration Generator: Generates
recommended cipher suite configurations for Apache, Nginx, HAProxy, and
other servers. Offers three profiles: Modern (TLS 1.3 only),
Intermediate (TLS 1.2+), and Old (maximum compatibility).
Next: TLS Records: How Data Is
Framed