Cipher Suite


Cipher Suite (Cipher_suites) defines the cryptographic Primitives or algorithms that are utilized in a particular TLS/SSL session

Cipher Suite SSL/TLS #

A SSL/TLS Cipher Suite is a 16-bit symbolic identifier for a set of cryptographic algorithms as listed in the TLS Cipher Suite Registry

For instance, the TLS_RSA_WITH_AES_128_CBC_SHA Cipher Suite has value 0x002F, and means

There are many Known Cipher Suites and for TLS they are all supposedly registered at the TLS Cipher Suite Registry

Cipher suites are written like this:

which roughly breaks down into the following parameters:

Special Cipher Suite:#

There are a couple of Cipher Suite that are special

Cipher Suite SSL/TLS #

The order in the ClientHello shows what the client prefers, i.e. the preferred ciphers are on top.

The server is still free to ignore this order and pick what it thinks is best.

Often there is a related setting in the TLS configuration of the server, like SSLHonorCipherOrder for apache or ssl_prefer_server_ciphers for NGINX.

Cipher Suite Kerberos Encryption Types#

Kerberos Encryption Types are similar to Cipher Suite used in Kerberos

Which Cipher Suites to use#

Generally which Cipher Suites to use depends on a lot of factors and configuration of your Implementation,

A good place to start is using one of the Certificate Validation Tools and Mozilla maintains an excellent resource for Server Side TLS Guidelines

More Information#

There might be more information for this subject on one of the following: