Modern Protocol and Cipher Suite Selection

2 min read SSL/TLS & Certificates

Modern Protocol and Cipher Suite Selection

The foundation of advanced SSL configuration lies in careful protocol and cipher suite selection. Modern deployments should exclusively use TLS 1.2 and TLS 1.3, completely disabling SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. These older protocols contain known vulnerabilities that enable various attacks. While disabling older protocols might seem to risk compatibility issues, modern browser usage statistics show negligible impact—less than 1% of users rely on browsers supporting only deprecated protocols.

TLS 1.3 represents the current gold standard, offering improved security and performance over previous versions. It removes vulnerable features like RSA key exchange and requires forward secrecy. The simplified handshake reduces round trips, improving connection establishment speed. TLS 1.3 also includes 0-RTT (zero round trip time) resumption for returning clients, though this feature requires careful implementation to prevent replay attacks. Enable TLS 1.3 wherever possible while maintaining TLS 1.2 for broader compatibility.

Cipher suite configuration significantly impacts both security and performance. Prioritize Authenticated Encryption with Associated Data (AEAD) ciphers like AES-GCM and ChaCha20-Poly1305. These modern ciphers provide both confidentiality and authenticity in a single operation. Configure your server to prefer Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange for forward secrecy. A recommended cipher suite order might be: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

Remove weak and deprecated ciphers from your configuration entirely. Disable export-grade ciphers, NULL ciphers, anonymous ciphers, RC4, DES, and 3DES. Remove ciphers using MD5 or SHA1 for message authentication. While maintaining backward compatibility seems user-friendly, supporting vulnerable ciphers exposes all users to downgrade attacks. Regular cipher suite audits ensure your configuration remains secure as new vulnerabilities emerge.