Overview#Cipher Suite defines the cryptographic Primitives or algorithms that are utilized in a particular TLS/SSL session SSL/TLS Cipher Suite is a 16-bit symbolic identifier for a set of cryptographic algorithms as listed in the TLS Cipher Suite Registry
For instance, the TLS_RSA_WITH_AES_128_CBC_SHA Cipher Suite has value 0x002F, and means
- The TLS records use HMAC/SHA-1 and AES encryption with a 128-bit key,
- the key-Exchange is done by encrypting a random key with the server's RSA Public Key"
Cipher suites are written like this:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAwhich roughly breaks down into the following parameters:
- TLS - Could be TLS or SSL
- ECDHE: the Key-Exchange Mechanism.
- RSA: the Authentication mechanism.
- Cipher - the Cipher Algorithm
- SHA: the Message Authentication Code primitive.
- PRF - (not shown) only used in TLS 1.2
The server is still free to ignore this order and pick what it thinks is best.
Often there is a related setting in the TLS configuration of the server, like SSLHonorCipherOrder for apache or ssl_prefer_server_ciphers for nginx.
More Information#There might be more information for this subject on one of the following:
- Anonymous Cipher Suite
- Cipher Suite
- Diffie-Hellman Ephemeral
- Elliptic Curve Diffie-Hellman Ephemeral
- FIPS Based Cipher Suites
- How SSL-TLS Works
- Known Cipher Suites
- OpenSSL Commands
- Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
- Prohibiting RC4 Cipher Suites
- RFC 4492
- Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- TLS 1.2
- TLS 1.3
- TLS Cipher Suite Registry
- TLS Session Resumption
- Tomcat And SSL