TLS Cipher Suite Explorer

Browse, search, and compare TLS cipher suites with Mozilla security classification, OpenSSL & IANA names, and detailed cryptographic parameters.

Cipher Suites

Showing 0 of 0 cipher suites
Code IANA Name OpenSSL Protocol Key Exchange Auth Encryption Hash/MAC Security

How to Use

  1. Search — Type any keyword to filter by IANA name, OpenSSL name, key exchange algorithm, encryption cipher, or hash function.
  2. Filter — Use the dropdowns to narrow results by Mozilla security level (Modern/Intermediate/Old) or protocol version (TLS 1.3, TLS 1.2, etc.).
  3. Sort — Click any column header to sort by that field. Click again to reverse the sort order.
  4. Category cards — Click on the security level cards to quickly filter by Modern, Intermediate, or Old classifications.
  5. Compare — Browse all cipher suites side by side to compare key exchange, authentication, encryption strength, and hash algorithms.

All cipher suite data is embedded and processed entirely client-side. No data is sent to any server.

What Are TLS Cipher Suites?

A TLS cipher suite is a set of cryptographic algorithms that defines how a TLS/SSL connection is established and secured. Each cipher suite specifies four key components:

  • Key Exchange — Algorithm used to securely exchange session keys (e.g., ECDHE, DHE, RSA)
  • Authentication — Method for verifying the server's identity (e.g., ECDSA, RSA, PSK)
  • Encryption — Symmetric cipher for encrypting data (e.g., AES-256-GCM, ChaCha20-Poly1305)
  • Hash/MAC — Message authentication code algorithm for integrity (e.g., SHA-384, Poly1305, AEAD)

The Mozilla security classification helps developers choose appropriate cipher suites:

  • Modern — Best security, compatible with modern browsers (TLS 1.3 only)
  • Intermediate — Good security, broad compatibility (TLS 1.2 + 1.3)
  • Old — Legacy support, weaker security (TLS 1.0/1.1, SSL 3.0)

Mozilla Security Recommendations

Mozilla provides three security configurations for TLS servers. Choose based on your compatibility requirements:

Level Protocols Key Exchange Ciphers Use Case
Modern TLS 1.3 ECDHE TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256 Services that don't need backward compatibility
Intermediate TLS 1.2, TLS 1.3 ECDHE, DHE AES-GCM, ChaCha20-Poly1305, AES-CBC (SHA-256/384) General purpose, broad compatibility
Old TLS 1.0 - TLS 1.3 ECDHE, DHE, RSA Includes 3DES, RC4, CBC ciphers Legacy systems, older clients

Frequently Asked Questions

What is the difference between IANA and OpenSSL cipher names?

IANA names are the official standardized names assigned by the Internet Assigned Numbers Authority. OpenSSL uses shorter, more human-readable names. For example, the IANA name TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is known in OpenSSL as ECDHE-RSA-AES128-GCM-SHA256.

What does "Modern" security mean?

Mozilla's Modern profile includes only TLS 1.3 cipher suites with forward-secret key exchange (ECDHE) and AEAD encryption (AES-GCM or ChaCha20-Poly1305). These provide the highest security but may not be compatible with very old clients.

What is forward secrecy?

Forward secrecy (or perfect forward secrecy, PFS) ensures that session keys are not compromised if the server's private key is later exposed. Cipher suites using ECDHE or DHE key exchange provide forward secrecy. RSA key exchange does not.

What is AEAD encryption?

AEAD (Authenticated Encryption with Associated Data) combines encryption and authentication into a single operation. GCM (Galois/Counter Mode) and ChaCha20-Poly1305 are AEAD ciphers. They are more secure and efficient than older CBC-mode ciphers with separate HMAC.

How do I configure cipher suites on my server?

Use this explorer to find the cipher suites appropriate for your security level, then configure them in your web server (Nginx, Apache), load balancer (HAProxy), or application framework. Mozilla's SSL Configuration Generator at ssl-config.mozilla.org provides ready-to-use configurations.

Related Tools