Skip to main content

Cipher Suite

A cipher suite is the set of cryptographic algorithms that a client and server select when they establish a secure connection. When a browser loads a page over HTTPS, the two sides negotiate a cipher suite as part of the TLS handshake, and that choice determines how the rest of the connection is protected.

What is a cipher suite

In TLS 1.2 and earlier, a cipher suite name encodes the algorithms used for several parts of the connection. Take this modern TLS 1.2 suite alongside a legacy one:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ← modern AEAD suite
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ← legacy CBC suite

Reading the modern suite left to right:

  • ECDHE — key exchange: how the two sides agree on a shared secret without ever sending it over the wire.
  • RSA — authentication: how the server proves its identity, typically using public-key cryptography and its certificate.
  • AES_128_GCM — bulk encryption: the symmetric algorithm, key size, and mode of operation used to encrypt the actual data. The mode of operation in that third part is where the security differences between older and newer suites lie.
  • SHA256 — pseudorandom function hash: the hash used by the TLS 1.2 key schedule. Message integrity for this suite is provided by GCM as part of AEAD.

TLS 1.3 cipher suite names are shorter because key exchange and authentication moved out of the cipher suite name:

TLS_AES_128_GCM_SHA256

In this TLS 1.3 example, AES_128_GCM identifies the AEAD encryption algorithm and SHA256 identifies the handshake hash.

CBC mode and its weaknesses

CBC (Cipher Block Chaining) is a mode of operation that encrypts data one block at a time, chaining each block to the previous one. It was widely used in TLS for years but is difficult to implement safely, and a series of well-documented attacks have exploited its weaknesses:

  • POODLE — a padding oracle attack against SSL 3.0 CBC that can recover plaintext when clients can be forced to downgrade.
  • BEAST — exploits TLS 1.0 CBC initialization vector behavior to mount a chosen-plaintext attack.
  • Lucky Thirteen — a timing side channel in how CBC padding is verified.

Because of these issues, CBC-mode cipher suites have been deprecated by browser vendors, operating systems, and the broader security community.

Modern AEAD cipher suites

Today's connections use AEAD (Authenticated Encryption with Associated Data) cipher suites such as AES-GCM and ChaCha20-Poly1305. AEAD encrypts the data and verifies its integrity in a single, combined operation, which eliminates the entire class of padding-related attacks that affect CBC. Modern clients such as current browsers, up-to-date mobile operating systems, and recent server runtimes already prefer these suites and negotiate them automatically.

Keeping a server's list of supported cipher suites limited to strong, modern options is a standard part of maintaining encryption in transit and reducing a connection's attack surface.

Cipher suites and Clerk

Clerk terminates TLS for the subdomains it manages on your behalf, such as your Frontend API and Account Portal, and maintains the list of cipher suites those endpoints support. Beginning January 18, 2027, Clerk phases out CBC-mode cipher suites on these subdomains in favor of AEAD-only suites. The change rolls out gradually as each subdomain's certificate is renewed over the following 90 days.

For details on that change and its timeline, see Deprecating CBC cipher suites.