Developer Tools

TLS Cipher Suite Lookup

Look up TLS 1.0 to 1.3 cipher suites by IANA hex, OpenSSL alias, or component. See key exchange, AEAD, MAC, bit strength, and a 2025 recommendation.

Search by IANA hex, OpenSSL alias, or component

Showing 46 of 46 suites.

Recommendation

Version

ModernTLS 1.3128-bit symmetric

TLS_AES_128_GCM_SHA256

IANA 0x13,0x01|hex 0x1301

Mandatory-to-implement TLS 1.3 suite. AES-128-GCM with the SHA-256 PRF. Fast on hardware that supports AES-NI.

On the Mozilla modern / intermediate list. Forward-secret AEAD. Recommended for new deployments.

Key exchange: Any (TLS 1.3)
Authentication: Any (TLS 1.3)
Symmetric cipher: AES-128-GCM128 bit
MAC / AEAD: AEAD (SHA-256 PRF)
TLS versions: TLS 1.3
Reference: RFC 8446

IANA byte pair: 0x13,0x01
Joined hex: 0x1301
Forward secrecy: Yes (ephemeral key exchange)
AEAD: Yes (no separate MAC step)

Browse 46 suites

Click a card for details

Modern

On the Mozilla modern / intermediate list. Forward-secret AEAD. Recommended for new deployments.

Secure

Sound construction but not on the modern shortlist. Often kept for compatibility with older clients or specialized profiles.

Legacy

Older construction (CBC, smaller MAC tag, or DHE). Acceptable for legacy clients but disable when possible.

Weak

Lacks forward secrecy or uses fragile MAC choices. Acceptable only as last-resort fallback; modern profiles disable it.

Insecure

Broken or prohibited (RC4, single DES, 3DES SWEET32, export-grade). Do not enable.

Anonymous

No certificate verification. Vulnerable to active MITM. Internal lab use only, never on the public internet.

How TLS names a cipher suite

A TLS 1.2 cipher suite name has four parts that describe the handshake and the record protection.

TLS_ECDHE_RSA_picks the key exchange (ECDHE for forward secrecy) and the certificate type (RSA here, ECDSA for ECC certs).
WITH_AES_128_GCM_picks the symmetric cipher and mode. GCM and ChaCha20-Poly1305 are AEAD; CBC is the older encrypt-then-MAC mode.
SHA256 picks the hash function. For AEAD suites this drives the PRF; for CBC suites it also names the HMAC.
TLS 1.3 simplifies the name to just the record protection: the key exchange and authentication are negotiated separately, so the suite name is TLS_AES_128_GCM_SHA256 with no key-exchange prefix.

Recommendation key

ModernOn the Mozilla modern / intermediate list. Forward-secret AEAD. Recommended for new deployments.
SecureSound construction but not on the modern shortlist. Often kept for compatibility with older clients or specialized profiles.
LegacyOlder construction (CBC, smaller MAC tag, or DHE). Acceptable for legacy clients but disable when possible.
WeakLacks forward secrecy or uses fragile MAC choices. Acceptable only as last-resort fallback; modern profiles disable it.
InsecureBroken or prohibited (RC4, single DES, 3DES SWEET32, export-grade). Do not enable.
AnonymousNo certificate verification. Vulnerable to active MITM. Internal lab use only, never on the public internet.

Recommendations follow Mozilla's SSL Configuration Generator and the current IETF guidance. The IANA TLS Cipher Suite Registry is the full reference for every assigned code point.

How to use

Paste an IANA hex value (0xC02F or 0xC0,0x2F), an OpenSSL alias (ECDHE-RSA-AES128-GCM-SHA256), or any component such as ECDHE, ChaCha20, or AEAD into the search box.
Use the Recommendation filter to focus on Modern, Secure, Legacy, Weak, or Insecure suites. Use the Version filter to narrow to TLS 1.0, 1.1, 1.2, or 1.3 only.
Read the detail card: IANA code, joined hex, OpenSSL alias, key exchange, authentication, symmetric cipher, MAC or AEAD, supported TLS versions, and a recommendation note.
Copy the IANA name, the hex, the OpenSSL alias, or the full summary into your server config, ticket, or runbook.
Click any card in the catalog below to inspect a different suite. Filters and search apply to the catalog as well.

About this tool

TLS Cipher Suite Lookup is a searchable catalog of the cipher suites that show up in real TLS deployments, debug logs, and IANA registrations. Paste an IANA hex (such as 0xC02F or 0xC0,0x2F), an OpenSSL alias (such as ECDHE-RSA-AES128-GCM-SHA256), or any component (ECDHE, ChaCha20, GCM, AES-256) and the tool jumps to the matching suite. Each entry breaks the suite into its parts: the key exchange (RSA, DHE, ECDHE, PSK, or TLS 1.3 negotiated separately), the certificate authentication (RSA, ECDSA, anonymous, or any for 1.3), the symmetric cipher with its bit strength (AES-128-GCM, AES-256-GCM, ChaCha20, 3DES, RC4, and others), the MAC or AEAD construction, and the TLS protocol versions the suite is allowed in (1.0 through 1.3). A recommendation badge labels every suite Modern, Secure, Legacy, Weak, Insecure, or Anonymous based on the current Mozilla SSL Configuration Generator profiles and IETF guidance, so you can tell at a glance whether to keep a suite, deprecate it, or remove it outright. Use it to identify a suite you saw in a Wireshark capture, line up an OpenSSL ciphers string with the suites that browsers actually negotiate, or sanity-check a server hardening change before you ship it. All data ships with the page; nothing you type leaves your browser.

Free to use. Works in your browser. No signup, no login.

Related tools

TLS Cipher Suite Lookup

How to use

About this tool

You may also like

SSL Certificate Decoder

CSR Decoder

PEM Public Key Inspector

SSH Key Fingerprint Generator

Hash Identifier

HTTP Headers Parser