How to Check Your TLS Cipher Suite

Your TLS cipher suite determines how encrypted your HTTPS connections actually are. A server that accepts TLS 1.0 or RC4 ciphers is technically "HTTPS" but trivially breakable. This guide shows you how to check what your server is negotiating and how to fix it.

Check your cipher suite with openssl

The fastest way — one command shows your TLS version, negotiated cipher, and key size:

openssl s_client -connect yourdomain.com:443 </dev/null 2>&1 | grep -E "New|Cipher|public key"

# Example output (good):
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit

# Example output (bad):
New, TLSv1.1, Cipher is AES256-SHA
Server public key is 1024 bit

For the full chain including intermediate certificates:

openssl s_client -connect yourdomain.com:443 -showcerts </dev/null 2>&1 | head -40

What each field means

Cipher suite rating table

What is Perfect Forward Secrecy?

Perfect Forward Secrecy (PFS) means each session uses a unique ephemeral key. If your private key is ever compromised, an attacker cannot decrypt past recorded traffic. Without PFS (e.g. plain AES256-SHA), all past traffic is retroactively decryptable.

PFS ciphers start with ECDHE or DHE. TLS 1.3 always provides PFS — all TLS 1.3 ciphers are PFS by design.

Disable TLS 1.0 and 1.1 — per stack

Nginx

# /etc/nginx/nginx.conf or site config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# Test and reload
nginx -t && systemctl reload nginx

# Verify
openssl s_client -connect yourdomain.com:443 </dev/null 2>&1 | grep "New,"

Apache

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off

# Restart Apache
apachectl configtest && systemctl restart apache2

Cloudflare

# Dashboard → SSL/TLS → Edge Certificates
# Minimum TLS Version: TLS 1.2
# Cipher Suites: Modern
# TLS 1.3: ON

# Cloudflare manages cipher selection — no origin config needed
# "Modern" cipher suite = TLS 1.3 preferred, ECDHE-only for TLS 1.2

HAProxy

frontend https_front
    bind *:443 ssl crt /etc/ssl/certs/fullchain.pem \
        no-sslv3 no-tlsv10 no-tlsv11 \
        ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 \
        ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Check TLS version compatibility

Test which TLS versions your server accepts:

# Test specific TLS versions
openssl s_client -connect yourdomain.com:443 -tls1   # Should FAIL
openssl s_client -connect yourdomain.com:443 -tls1_1 # Should FAIL
openssl s_client -connect yourdomain.com:443 -tls1_2 # Should succeed
openssl s_client -connect yourdomain.com:443 -tls1_3 # Should succeed

# If TLS 1.0 or 1.1 succeeds — disable them in your server config above

TLS compression — disable it (CRIME vulnerability)

# Check if compression is enabled
openssl s_client -connect yourdomain.com:443 </dev/null 2>&1 | grep Compression

# "Compression: NONE" = good
# "Compression: zlib" = vulnerable to CRIME attack

# Nginx — compression is disabled by default in modern versions
# If you have this in your config, remove it:
# ssl_compression on;  <-- remove this line

Automated check — SSL Chain Visualizer

Run the openssl command, paste the output into the SSL Chain Visualizer Cipher Suite tab — it scores your configuration 0-100 and generates the exact fix for your stack.