Last Update on Jan, 2026.
#
TLS configuration
#
Protocols
#
Protocols
| Protocol | Year | Security Status | Compliance Status | Key Notes |
|---|---|---|---|---|
| SSL 1.0 | 1994 | ❌ Broken / never released | ❌ Not allowed | Prototype only |
| SSL 2.0 | 1995 | ❌ Insecure | ❌ Prohibited | MITM vulnerabilities |
| SSL 3.0 | 1996 | ❌ Insecure | ❌ Prohibited | POODLE attack |
| PCT 1.0 | 1996 | ❌ Insecure | ❌ Prohibited | Microsoft pre-SSL protocol |
| TLS 1.0 | 1999 | ❌ Deprecated | ❌ Non-compliant | BEAST, weak crypto |
| TLS 1.1 | 2006 | ❌ Deprecated | ❌ Non-compliant | Legacy only |
| TLS 1.2 | 2008 | ⚠️ Secure if hardened | ✅ Compliant | Must use strong ciphers |
| Multi-Protocol Unified Hello (MPUH) | 2017 | Handshake Mechanism | ||
| TLS 1.3 | 2018 | ✅ Secure | ✅ Fully compliant | Recommended standard |
#
Ciphers
| # | Cipher | Key Length | Year Introduced | Security Status | Compliance | Notes |
|---|---|---|---|---|---|---|
| 1 | NULL | 0 | 1994 | ❌ Insecure | ❌ Prohibited | No encryption |
| 2 | DES | 56-bit | 1977 | ❌ Broken | ❌ Prohibited | Brute-force broken |
| 3 | RC2 | 40-bit | 1987 | ❌ Broken | ❌ Prohibited | Export-grade weak |
| 4 | RC2 | 56-bit | 1987 | ❌ Broken | ❌ Prohibited | Weak key |
| 5 | RC2 | 128-bit | 1987 | ❌ Deprecated | ❌ Prohibited | Obsolete design |
| 6 | RC4 | 40-bit | 1987 | ❌ Broken | ❌ Prohibited | Stream cipher flaws |
| 7 | RC4 | 56-bit | 1987 | ❌ Broken | ❌ Prohibited | Same weaknesses |
| 8 | RC4 | 64-bit | 1987 | ❌ Broken | ❌ Prohibited | Statistically broken |
| 9 | RC4 | 128-bit | 1987 | ❌ Broken | ❌ Prohibited | Banned by RFC 7465 |
| 10 | 3DES | 168-bit | 1998 | ⚠️ Deprecated | ❌ Prohibited (modern compliance) | SWEET32 attack |
| 11 | AES-128 | 128-bit | 2001 | ✅ Secure | ✅ PCI / NIST / FIPS | Approved standard |
| 12 | AES-256 | 256-bit | 2001 | ✅ Secure | ✅ PCI / NIST / FIPS | Approved standard |
| 13 | ChaCha20-Poly1305 | 256-bit | 2014 | ✅ Secure | Secure modern AEAD |
#
Hash Algorithms
| # | Hash Algorithm | Output Size | Year Introduced | Security Status | Compliance | Notes |
|---|---|---|---|---|---|---|
| 1 | MD5 | 128-bit | 1992 | ❌ Broken | ❌ Prohibited | Collision attacks practical |
| 2 | SHA-1 | 160-bit | 1995 | ❌ Broken | ❌ Prohibited | SHAttered collision |
| 3 | SHA-256 | 256-bit | 2001 | ✅ Secure | ✅ PCI / NIST / FIPS | Approved standard |
| 4 | SHA-384 | 384-bit | 2001 | ✅ Secure | ✅ PCI / NIST / FIPS | Approved standard |
| 5 | SHA-512 | 512-bit | 2001 | ✅ Secure | ✅ PCI / NIST / FIPS | Approved standard |
#
Key Exchange
| # | Key Exchange | Year Introduced | Security Status | Compliance | Notes |
|---|---|---|---|---|---|
| 1 | Diffie-Hellman (DH) | 1976 | ⚠️ Secure if 2048-bit+ | ✅ PCI / NIST / FIPS | Vulnerable to Logjam with small groups (<2048-bit) |
| 2 | PKCS (RSA key exchange) | 1977 / 1980s (PKCS #1) | ⚠️ Deprecated in TLS 1.2 | ✅ PCI / NIST / FIPS (legacy) | Forward secrecy not guaranteed; use carefully |
| 3 | Elliptic Curve Diffie-Hellman (ECDH / ECDHE) | 2005 | ✅ Secure | ✅ PCI / NIST / FIPS | Recommended; supports forward secrecy |
#
Cipher Suite
| # | Cipher Suite | Status | Recommendation | Notes |
|---|---|---|---|---|
| 1 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ✅ Safe | Use | AEAD, Forward Secrecy (FS), FIPS-approved |
| 2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ✅ Safe | Use | AEAD, FS, FIPS-approved |
| 3 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ⚠️ Acceptable | Use if GCM not available | CBC, FS, weaker than GCM |
| 4 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ⚠️ Acceptable | Use if GCM not available | CBC, FS |
| 5 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ⚠️ Acceptable | Avoid if possible | CBC, FS, SHA-1 legacy |
| 6 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ⚠️ Acceptable | Avoid if possible | CBC, FS, SHA-1 legacy |
| 7 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ✅ Safe | Use | AEAD, FS, modern cert type |
| 8 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ✅ Safe | Use | AEAD, FS |
| 9 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ⚠️ Acceptable | Use if GCM not available | CBC, FS |
| 10 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ⚠️ Acceptable | Use if GCM not available | CBC, FS |
| 11 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ⚠️ Acceptable | Avoid | CBC, SHA-1 |
| 12 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ⚠️ Acceptable | Avoid | CBC, SHA-1 |
| 13 | TLS_RSA_WITH_AES_256_GCM_SHA384 | ⚠️ Acceptable | Legacy use only | No forward secrecy |
| 14 | TLS_RSA_WITH_AES_128_GCM_SHA256 | ⚠️ Acceptable | Legacy use only | No forward secrecy |
| 15 | TLS_RSA_WITH_AES_256_CBC_SHA256 | ⚠️ Acceptable | Legacy | CBC, no FS |
| 16 | TLS_RSA_WITH_AES_128_CBC_SHA256 | ⚠️ Acceptable | Legacy | CBC, no FS |
| 17 | TLS_RSA_WITH_AES_256_CBC_SHA | ⚠️ Acceptable | Legacy | CBC, SHA-1, no FS |
| 18 | TLS_RSA_WITH_AES_128_CBC_SHA | ⚠️ Acceptable | Legacy | CBC, SHA-1, no FS |
| 19 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | ✅ Safe | Use if ECDHE unavailable | AEAD, FS |
| 20 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | ✅ Safe | Use if ECDHE unavailable | AEAD, FS |
| 21 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | ⚠️ Acceptable | Use if GCM unavailable | CBC, FS |
| 22 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | ⚠️ Acceptable | Use if GCM unavailable | CBC, FS |
| 23 | TLS_RSA_WITH_3DES_EDE_CBC_SHA | ❌ Insecure | Disable | Vulnerable to SWEET32 |
| 24 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | ⚠️ Acceptable | Legacy / rare | CBC, FS |
| 25 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | ⚠️ Acceptable | Legacy / rare | CBC, FS |
| 26 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA | ⚠️ Acceptable | Legacy | CBC, FS |
| 27 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA | ⚠️ Acceptable | Legacy | CBC, FS |
| 28 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | ❌ Insecure | Disable | SWEET32 |
| 29 | TLS_RSA_WITH_RC4_128_SHA | ❌ Insecure | Disable | RC4 banned |
| 30 | TLS_RSA_WITH_RC4_128_MD5 | ❌ Insecure | Disable | RC4 banned |
| 31 | TLS_RSA_WITH_NULL_SHA256 | ❌ Insecure | Disable | No encryption |
| 32 | TLS_RSA_WITH_NULL_SHA | ❌ Insecure | Disable | No encryption |
| 33 | TLS_PSK_WITH_AES_256_GCM_SHA384 | ⚠️ Acceptable | Use cautiously | PSK use cases only |
| 34 | TLS_PSK_WITH_AES_128_GCM_SHA256 | ⚠️ Acceptable | Use cautiously | PSK only |
| 35 | TLS_PSK_WITH_AES_256_CBC_SHA384 | ⚠️ Acceptable | Use cautiously | CBC, PSK |
| 36 | TLS_PSK_WITH_AES_128_CBC_SHA256 | ⚠️ Acceptable | Use cautiously | CBC, PSK |
| 37 | TLS_PSK_WITH_NULL_SHA384 | ❌ Insecure | Disable | No encryption, PSK |
| 38 | TLS_PSK_WITH_NULL_SHA | ❌ Insecure | Disable | No encryption, PSK |
#
Old
| No | Server Protocol | Meaning | Strict | PCI | Best | FIPS | InUse |
|---|---|---|---|---|---|---|---|
| 1 | Multi-Protocol Unified Hello | Legacy | |||||
| 2 | PCT 1.0 | Legacy | |||||
| 3 | SSL 2.0 | Legacy | |||||
| 4 | SSL 3.0 | Legacy | |||||
| 5 | TLS 1.0 | Deprecated – no longer PCI compliant | Best | FIPS | |||
| 6 | TLS 1.1 | Deprecated – no longer PCI compliant | Best | FIPS | |||
| 7 | TLS 1.2 | Mandatory | Strict | PCI | Best | FIPS | InUse |
| 8 | TLS 1.3 | Mandatory | Strict | PCI | Best | FIPS | InUse |
| No | Server Protocol | Strict | PCI | Best | FIPS | InUse |
|---|---|---|---|---|---|---|
| Ciphers | ||||||
| 1 | NULL | |||||
| 2 | DES 56/56 | |||||
| 3 | RC2 40/128 | |||||
| 4 | RC2 56/128 | |||||
| 5 | RC2 128/128 | |||||
| 6 | RC4 40/128 | |||||
| 7 | RC4 56/128 | |||||
| 8 | RC4 64/128 | |||||
| 9 | RC4 128/128 | |||||
| 10 | Triple DES 168 | Strict | PCI | Best | FIPS | |
| 11 | AES 128/128 | Strict | PCI | Best | FIPS | InUse |
| 12 | AES 256/256 | Strict | PCI | Best | FIPS | InUse |
| Hashes | ||||||
| 1 | MD5 | Strict | PCI | Best | ||
| 2 | SHA | Strict | PCI | Best | FIPS | |
| 3 | SHA 256 | Strict | PCI | Best | FIPS | InUse |
| 4 | SHA 384 | Strict | PCI | Best | FIPS | InUse |
| 5 | SHA 512 | Strict | PCI | Best | FIPS | InUse |
| Key Exchange | ||||||
| 1 | Diffie-Hellman | Strict | PCI | Best | FIPS | InUse |
| 2 | PKCS | Strict | PCI | Best | FIPS | InUse |
| 3 | ECDH | Strict | PCI | Best | FIPS | InUse |
#
Ciphers
| No | Cipher | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
|---|---|---|---|---|---|---|
| 1 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 3 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 4 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 5 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 6 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 7 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 8 | TLS_ECDHE_ECDSA_WITH_AES_128 GCM_SHA256, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 9 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 10 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 11 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 12 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | Strict | PCI | Best | FIPS | TLS 1.2 InUse |
| 13 | TLS_RSA_WITH_AES_256_GCM_SHA384, | PCI | Best | FIPS | ||
| 14 | TLS_RSA_WITH_AES_128_GCM_SHA256, | PCI | Best | FIPS | ||
| 15 | TLS_RSA_WITH_AES_256_CBC_SHA256, | PCI | Best | FIPS | ||
| 16 | TLS_RSA_WITH_AES_128_CBC_SHA256, | PCI | Best | FIPS | ||
| 17 | TLS_RSA_WITH_AES_256_CBC_SHA, | PCI | Best | FIPS | TLS 1.2 InUse | |
| 18 | TLS_RSA_WITH_AES_128_CBC_SHA, | PCI | Best | FIPS | TLS 1.2 InUse | |
| 19 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, | FIPS | ||||
| 20 | TLS DHE RSA_WITH_AES 128_ GCM SHA256, | FIPS | ||||
| 21 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA, | FIPS | ||||
| 22 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA, | FIPS | ||||
| 23 | TLS_RSA_WITH_3DES_EDE_CBC_SHA, | FIPS | ||||
| 24 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, | FIPS | ||||
| 25 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, | FIPS | ||||
| 26 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA, | FIPS | ||||
| 27 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA, | FIPS | ||||
| 28 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, | FIPS | ||||
| 29 | TLS_RSA_WITH_RC4_128_SHA, | |||||
| 30 | TLS_RSA_WITH_RC4_128_MD5, | |||||
| 31 | TLS_RSA_WITH_NULL_SHA256, | |||||
| 32 | TLS_RSA_WITH_NULL_SHA, | |||||
| 33 | TLS_PSK_WITH_AES_256_GCM_SHA384, | |||||
| 34 | TLS_PSK_WITH_AES_128_GCM_SHA256, | |||||
| 35 | TLS_PSK_WITH_AES_256_CBC_SHA384, | |||||
| 36 | TLS_PSK_WITH_AES_128_CBC_SHA256, | |||||
| 37 | TLS_PSK_WITH_NULL_SHA384, | |||||
| 38 | TLS_PSK_WITH_NULL_SHA256, |