Skip to main content

9. Mandatory Cipher Suites

In the absence of an application profile standard specifying otherwise, a TLS-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for definition).

This cipher suite provides:

  • Key Exchange: RSA
  • Encryption Algorithm: AES-128-CBC
  • MAC Algorithm: HMAC-SHA1

This cipher suite was chosen as the mandatory-to-implement to ensure that any two TLS 1.2-compliant implementations have at least one common cipher suite available, thereby guaranteeing basic interoperability.

Note: While TLS_RSA_WITH_AES_128_CBC_SHA is mandatory to implement, modern deployments should prioritize stronger cipher suites, particularly those providing Forward Secrecy, such as ECDHE cipher suites.

Last updated on