What is this?
TLS cipher suites are the cryptographic algorithms your web server uses to negotiate an HTTPS connection with the browser: key exchange, authentication, encryption, integrity. The lists on server and client must overlap, otherwise the connection fails.
Outdated ciphers (3DES, RC4, CBC without AEAD) are not just cryptographically broken but also trigger compliance findings (BSI TR-02102-2, PCI-DSS, IT-Grundschutz). This tool produces a conservative, BSI-compliant list - with output formats for the most common web servers.
When do I need it?
Whenever you install a new web server or reverse proxy, and as a routine check every 12-24 months. TLS standards evolve; what was acceptable in 2023 may already be deprecated in 2026.
Tip: after a change, double-check via ssllabs.com/ssltest/ - you see at a glance which ciphers actually get negotiated.