Cipher Suite

A cipher suite specifies the bundle of algorithms used by a secure protocol to protect a session. In TLS 1.2, a suite like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 selects ECDHE for key exchange, RSA for authentication, AES-128-GCM for encryption, and SHA-256 for PRF. TLS 1.3 simplified the model by separating key exchange and signatures from the AEAD: only five suites remain (e.g., TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256). Selecting strong suites — and disabling weak or legacy ones such as RC4, 3DES, export-grade DH, and anonymous (aDH/aECDH) — is a critical TLS hardening step. Tools like SSL Labs, testssl.sh, and configuration guides from Mozilla, NIST, and the BSI codify safe defaults.