A cipher suite is the combination of algorithms your server and client agree upon during the TLS handshake. The choice directly affects whether your connections have forward secrecy, how fast encryption runs, and whether your site passes security audits. This guide ranks every commonly encountered cipher suite from best to worst and gives you copy-paste configurations for Nginx and Apache.
This article is part of the SSL/TLS Configuration Guide on GF.dev. After making changes, verify them with the TLS Scanner.
An OpenSSL cipher suite name encodes four choices into a single string. For example, ECDHE-RSA-AES256-GCM-SHA384 breaks down as:
In TLS 1.3, the naming is simplified because key exchange and authentication are negotiated separately. A TLS 1.3 suite name like TLS_AES_256_GCM_SHA384 only specifies the AEAD cipher and hash.
These cipher suites provide AEAD encryption, forward secrecy, and strong key exchange. Enable all of them:
| Cipher Suite | Protocol | Notes |
|---|---|---|
TLS_AES_256_GCM_SHA384 | TLS 1.3 | Strongest TLS 1.3 suite. Hardware-accelerated on modern CPUs. |
TLS_CHACHA20_POLY1305_SHA256 | TLS 1.3 | Faster than AES on devices without AES-NI (mobile, ARM). |
TLS_AES_128_GCM_SHA256 | TLS 1.3 | Slightly faster than AES-256. Still considered fully secure. |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLS 1.2 | Best TLS 1.2 suite when using an ECDSA certificate. |
ECDHE-RSA-AES256-GCM-SHA384 | TLS 1.2 | Best TLS 1.2 suite when using an RSA certificate. |
ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 | Excellent for mobile clients. |
ECDHE-RSA-CHACHA20-POLY1305 | TLS 1.2 | RSA equivalent of the above. |
ECDHE-ECDSA-AES128-GCM-SHA256 | TLS 1.2 | Good balance of speed and security. |
ECDHE-RSA-AES128-GCM-SHA256 | TLS 1.2 | RSA equivalent of the above. |
These suites use CBC mode instead of GCM/AEAD. They are not broken, but CBC-mode ciphers have historically been targets of padding oracle attacks (BEAST, Lucky13, POODLE). Only enable these if you must support very old clients:
| Cipher Suite | Issue |
|---|---|
ECDHE-RSA-AES256-SHA384 | CBC mode. No AEAD. |
ECDHE-RSA-AES128-SHA256 | CBC mode. No AEAD. |
If you do enable these, place them below all GCM suites in your preference order and set ssl_prefer_server_ciphers on so they are only negotiated as a last resort.
These cipher suites have known vulnerabilities or design weaknesses. Disable them all:
ECDHE or DHE prefix) — No forward secrecy. A compromised server key decrypts all past traffic.DES-CBC3-SHA) — 64-bit block size makes it vulnerable to Sweet32 birthday attacks.ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:secp384r1:secp256r1;SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
SSLOpenSSLConfCmd Curves X25519:secp384r1:secp256r1If your certificate uses an ECDSA key (increasingly common with Let's Encrypt), only the ECDHE-ECDSA-* suites apply. If you use an RSA key, only ECDHE-RSA-* suites apply. If you serve both certificate types (dual-cert setup), include both sets. ECDSA certificates are smaller, faster to verify, and recommended for new deployments.
After updating your configuration:
nginx -t or apachectl configtest to check syntax.systemctl reload nginx or systemctl reload apache2.For the complete TLS hardening picture, return to the SSL/TLS Configuration Guide or jump to How to Get an A+ on SSL Labs.