Module 2 · TLS in Practice 🔒

TLS (Transport Layer Security) is the protocol that secures nearly every HTTPS, SMTPS, and many other connections. Knowing what version, cipher suites, and configuration to deploy — and how to test them — is essential. This module covers TLS 1.2 / 1.3 in 2026, certificate validation, common misconfigurations, and the testing approach that matters.

TLS versions in 2026

• TLS 1.0, 1.1 — deprecated, removed from major browsers since 2020. Disable in any service config
• TLS 1.2 — still acceptable; widespread support; backward compatibility
• TLS 1.3 — modern default; faster handshake, simpler protocol, fewer footguns. Should be preferred

Mature deployments: TLS 1.2 + 1.3 enabled, all earlier versions disabled.

The handshake (1.3 simplified)

CLIENT                                       SERVER
ClientHello (key_share, cipher_suites, ALPN) →
                                          ← ServerHello + Certificate + Finished
                                            (encrypted from this point)
Finished                                  →
[Application Data]                        ↔

TLS 1.3 reduced the handshake to one round-trip (vs 1.2’s two), simplified cipher suite negotiation, mandatory perfect forward secrecy, removed many legacy options.

Cipher suites — what to enable

TLS 1.3 cipher suite list is short:

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256

All three are acceptable. Order them based on your server’s hardware (AES-NI present → AES-GCM faster; absent → ChaCha20 faster).