How many cipher suites does TLS 1.3 define?

Five: TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. All use AEAD ciphers and always provide forward secrecy because the key exchange is always ephemeral.

What is forward secrecy and why does it matter?

Forward secrecy means each session uses an ephemeral key, so capturing the server private key later cannot decrypt past traffic. It is provided by ECDHE and DHE key exchange. Static-RSA suites lack it, which is why they are rated weak.

Should I use AES-GCM or ChaCha20-Poly1305?

Both are strong AEAD ciphers. AES-GCM is fastest on hardware with AES-NI, while ChaCha20-Poly1305 is faster on mobile and devices without AES acceleration. Offer both and let the client pick based on its hardware.

Why are CBC and RC4 suites discouraged?

CBC-mode suites have suffered padding-oracle attacks (BEAST, Lucky13) and those using SHA-1 are weak. RC4 has biased-keystream attacks and is prohibited by RFC 7465. 3DES is slow and vulnerable to Sweet32. Prefer AEAD suites.

Does this tool test my server?

No. It is a static offline reference and filter running entirely in your browser. To scan a live server use a tool such as testssl.sh or SSL Labs.

TLS Cipher Suite Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Picking strong TLS cipher suites

A TLS cipher suite bundles the algorithms used for a connection: the key-exchange method, the certificate authentication type, the bulk encryption cipher and the hash. This reference lists the common suites for TLS 1.3 and TLS 1.2 with their full IANA names, a forward-secrecy flag and a security rating so you can build a hardened server configuration.

How it works

In TLS 1.3 the cipher suite only names the AEAD cipher and hash — key exchange is always ephemeral and negotiated separately, so every 1.3 suite has forward secrecy. In TLS 1.2 the full suite name encodes all four parts:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     │     │        │           │
     │     │        │           └─ hash (PRF / HMAC)
     │     │        └───────────── bulk cipher + mode
     │     └────────────────────── certificate auth (RSA / ECDSA)
     └──────────────────────────── key exchange (ECDHE / DHE / RSA)

The server offers an ordered list; with server-cipher-order enabled it picks the first suite both peers support. Rank AEAD suites (GCM, ChaCha20-Poly1305) with ephemeral key exchange (ECDHE, DHE) first, and disable static-RSA, CBC-SHA1, RC4 and 3DES suites entirely.

Tips and notes

TLS 1.3 has only five suites and needs no manual ordering for most servers.
For TLS 1.2, require ECDHE so every session has forward secrecy.
Match Mozilla’s “Intermediate” or “Modern” SSL configuration as a baseline.
Verify a live endpoint with testssl.sh or the SSL Labs server test.