The safest TLS 1.2 baseline is much narrower than most configs allow
- Prefer ECDHE-based suites with AEAD, especially AES-GCM; they give you forward secrecy and simpler integrity protection.
- Use ECDSA or RSA certificates based on what your ecosystem supports, but keep the key exchange ephemeral.
- Treat ChaCha20-Poly1305 as a strong option for devices that lack AES acceleration or need better mobile performance.
- Disable RC4, 3DES, static RSA, NULL, export-grade suites, and TLS 1.0 or 1.1.
- For UK organisations, the NCSC baseline is clear: keep TLS 1.2 only where needed, but plan the move to TLS 1.3.

What a TLS 1.2 suite actually bundles
A TLS 1.2 suite is a bundle, not a single algorithm. The name tells you how the connection will agree on keys, how the server proves its identity, and how traffic will be encrypted and authenticated after the handshake finishes. Once you can read that bundle, the rest of the configuration conversation becomes much easier.
Key exchange is where forward secrecy starts
The most important design choice is whether the suite uses ephemeral key exchange. I look for ECDHE first, because it creates fresh session keys for every handshake. If a server certificate is ever compromised later, past traffic is still much harder to recover. That is the practical meaning of forward secrecy, and it is the first filter I apply.
Authentication tells you who the server is
The next part of the name usually signals RSA or ECDSA authentication. That only describes the signature method used by the certificate, not the entire trust model. RSA is still common because it fits older certificate chains and infrastructure. ECDSA is often leaner and faster, but it needs cleaner ecosystem support and proper curve handling. I usually decide that part based on interoperability, not fashion.
Read Also: TLS 1.3 Upgrade Guide - Migrate Safely, Avoid Downtime
Encryption and integrity define the real security posture
The final part matters just as much. AES-GCM is an AEAD mode, which means it combines encryption and integrity in one construction. ChaCha20-Poly1305 does the same and is especially attractive when a device does not have strong AES hardware support. CBC-based suites can still exist in TLS 1.2, but they need more care and are far easier to misconfigure. That is why the same protocol version can be either solid or fragile depending on the suite list.
Once the structure is clear, the next step is deciding which suites I would actually keep turned on.
Which suites are strong enough in 2026
My shortlist is small. For most web, API, and mail workloads, I want ECDHE plus AEAD, with AES-128-GCM as the default and AES-256-GCM only when a policy or compliance requirement really calls for it. The gain from 256-bit AES is often smaller than teams expect; in practice, the bigger win is forward secrecy and a clean handshake.
| Suite family | Why I keep it | Best use |
|---|---|---|
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | Broad compatibility, forward secrecy, AEAD, and a sensible default for mixed environments | Public websites, APIs, and most enterprise services |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | Same security profile, usually leaner when your certificate stack supports ECDSA well | Modern deployments with ECDSA certificates |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Useful when policy wants a 256-bit AES option without sacrificing forward secrecy | Regulated or policy-driven environments |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | High-security variant with the same structural advantages as the other ECDHE suites | Systems already committed to ECDSA |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and ECDSA equivalent | Excellent when AES acceleration is weak or absent; often feels faster on mobile and software-only stacks | Phones, embedded devices, and lean virtual machines |
What I would disable without debate
My cutoff is blunt. If a suite does not give me forward secrecy, or it depends on an algorithm with a long public deprecation trail, I remove it. The point is not to preserve every possible connection; the point is to protect the connections that matter.
- RC4 has no place in a modern configuration. It is formally prohibited for TLS negotiation.
- 3DES is too small in block size for comfortable long-lived use and belongs in the archive.
- Static RSA key exchange gives you no forward secrecy, so a later key leak can expose older sessions.
- NULL and export-grade suites are legacy artifacts and should never be part of a normal production policy.
- TLS 1.0 and 1.1 are deprecated and should be shut off wherever compatibility allows it.
- CBC-only suites should be treated as a temporary bridge, not a steady-state design.
The reason I am hard on CBC is simple: it is easier to get wrong, and the failure modes are less forgiving than AEAD. If you absolutely must keep a CBC suite around, the configuration needs explicit justification, a retirement date, and verification that the safer alternatives are already available to the clients you care about. From there, the more interesting question is how to choose a profile that fits the actual environment.
How I choose a profile for real-world systems
The right profile depends on who must connect, not on what looks best in a lab. A public website with modern browsers, a payment gateway with older partners, and an internal line-of-business app all have different tolerance for change. I would not configure them the same way.
| Environment | Profile I would use | Trade-off |
|---|---|---|
| Public web or API | ECDHE_RSA or ECDHE_ECDSA with AES-128-GCM first, ChaCha20-Poly1305 as a strong alternative | Best balance of security and broad support |
| UK government or regulated estate | Follow the NCSC recommended TLS 1.2 profile and keep TLS 1.3 enabled wherever possible | Strong baseline, but with a clear path to retire 1.2 |
| Legacy B2B integration | Keep one compatibility profile with CBC only if there is no faster migration path | Short-term bridge, not an end state |
| Mobile or CPU-constrained service | ChaCha20-Poly1305 with ECDHE | Often better performance when AES hardware is weak |
If the server software lets me control preference order, I make the strongest common suite win. That detail sounds minor, but it changes outcomes. A server that technically supports good suites can still negotiate a weaker one if its order is sloppy, and that is one of the easiest mistakes to miss in testing. Once that is sorted, the next problem is usually human, not cryptographic.
Common mistakes that make a good suite look bad
Most failures I see are configuration failures, not algorithm failures. The stack may support strong crypto, yet the deployment still ends up weaker than it needs to be because someone left an old fallback on or never tested the actual client mix.
- Leaving old protocol versions enabled because one stubborn device still uses them.
- Putting weaker suites ahead of stronger ones and assuming the client will sort it out.
- Mixing modern suites with weak certificates so the handshake still inherits old trust problems.
- Testing only with one browser or one scanner instead of the real client population.
- Thinking TLS 1.2 automatically means secure without checking the exact algorithms being negotiated.
I also pay attention to curve choice, even though it is not encoded directly in the suite name. P-256 is the default interoperability answer in many environments, and X25519 is a strong alternative where support exists. If your deployment supports both, that gives you room to tune for compatibility without giving up the security properties you actually need. With that in mind, the last step is deciding how to retire TLS 1.2 cleanly instead of leaving it in place forever.
How I would phase TLS 1.2 out without breaking clients
I treat TLS 1.2 as a managed exception, not a destination. The NCSC guidance is explicit that TLS 1.2 still has a role where strong cryptographic choices are made, but it also makes clear that TLS 1.2 will not receive the same future-looking upgrades as TLS 1.3. That matters if your data has a long confidentiality lifetime, because you do not want to discover too late that the bridge was never meant to be permanent.
- Inventory every endpoint that still depends on TLS 1.2 and note which clients actually use it.
- Turn on TLS 1.3 first, then keep a narrow TLS 1.2 fallback only where the logs prove it is still needed.
- Prefer ECDHE plus AEAD, and make the compatibility profile the exception rather than the default.
- Watch handshake telemetry so you can see when the old path is no longer being used in practice.
- Set a retirement date and remove the fallback once the long tail has been handled.