ciphersuites

CipherSuites are sets of cryptographic algorithms that determine the security properties of a TLS/SSL connection. They specify the methods used for key exchange, server and client authentication, bulk data encryption, and data integrity. In practice, a cipher suite encodes four elements: a key-exchange method (for example, RSA, Diffie-Hellman, or Elliptic-Curve Diffie-Hellman), an authentication method (often paired with the key exchange), a bulk cipher (such as AES in GCM mode or ChaCha20-Poly1305), and a message authentication code or pseudo-random function (such as SHA-256). During the TLS handshake, the client and server announce their supported cipher suites; the server selects one that is mutually supported. The chosen suite then governs how all subsequent records are encrypted and validated.

In TLS 1.2 and earlier, the MAC and PRF are separate, and many suites use CBC modes

Examples include TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_AES_128_GCM_SHA256. Security guidance emphasizes preferring modern ECDHE-based suites with forward secrecy and