0Pricing
Security+ Academy · Lesson

TLS Versions, Cipher Suites, and Perfect Forward Secrecy

Configure TLS 1.2/1.3, select strong cipher suites, and enable perfect forward secrecy to ensure that captured traffic cannot be decrypted retroactively.

TLS Protocol Overview

TLS (Transport Layer Security) is the cryptographic protocol that secures the majority of internet communications — HTTPS, SMTPS, IMAPS, LDAPS, and VPNs all rely on TLS. TLS provides three security properties: confidentiality (encryption prevents eavesdropping), integrity (MAC prevents tampering), and authentication (certificates verify server identity). TLS evolved from SSL (Secure Sockets Layer), which is now deprecated. The current versions are TLS 1.2 (widely deployed) and TLS 1.3 (faster and more secure, recommended for all new deployments).

TLS Version History and Deprecations

TLS has gone through several versions, with older ones containing critical vulnerabilities. SSL 2.0/3.0: deprecated, vulnerable to POODLE, DROWN attacks. TLS 1.0: deprecated by NIST and PCI-DSS in 2020 (vulnerable to BEAST, POODLE on block ciphers). TLS 1.1: deprecated alongside TLS 1.0. TLS 1.2: current minimum standard; secure when properly configured with strong cipher suites. TLS 1.3: released 2018; removes all weak algorithms, mandatory forward secrecy, significantly faster handshake (1-RTT instead of 2-RTT), and prevents downgrade attacks. PCI-DSS 4.0 requires TLS 1.2 minimum, recommends 1.3.

# TLS version timeline
SSL 2.0   1995  DEPRECATED (DROWN)
SSL 3.0   1996  DEPRECATED (POODLE)
TLS 1.0   1999  DEPRECATED 2020 (BEAST, POODLE)
TLS 1.1   2006  DEPRECATED 2020 (no improvements over 1.0)
TLS 1.2   2008  MINIMUM STANDARD (strong ciphers required)
TLS 1.3   2018  RECOMMENDED (mandatory PFS, faster, secure)

# Check which TLS versions a server supports
nmap --script ssl-enum-ciphers -p 443 example.com
# Or:
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

All lessons in this course

  1. Replacing Insecure Protocols: Telnet vs SSH, FTP vs SFTP
  2. TLS Versions, Cipher Suites, and Perfect Forward Secrecy
  3. Secure DNS: DNSSEC and DNS over HTTPS (DoH)
  4. IPsec, VPN Protocols, and Remote Access Security
← Back to Security+ Academy