← Blog Β· May 7, 2026 Β· tls, security

TLS 1.2 vs TLS 1.3: What Actually Changed

TLS 1.3 (RFC 8446) was published in 2018 after four years of design and 28 drafts. It's not a polish of 1.2 β€” it's a substantial rewrite that drops a lot of baggage. Here's what's different and why each change matters in production.

The handshake: 2-RTT to 1-RTT

TLS 1.2's handshake takes two round trips before any application data flows. ClientHello β†’ ServerHello + cert + ServerHelloDone β†’ ClientKeyExchange + ChangeCipherSpec + Finished β†’ ServerChangeCipherSpec + Finished. ThenHTTP can start.

TLS 1.3 collapses this to 1-RTT. The client guesses the key-exchange group in the first message and sends its key share immediately. The server picks a group, sends its key share, the certificate, and Finished. Client confirms, sends HTTP. One RTT instead of two β€” measurable as 20–100ms of saved latency on every fresh connection.

With 0-RTT (resumption with early data), TLS 1.3 can send application data in the very first packet. That cuts latency to zero β€” but 0-RTT is replay-vulnerable and should only be used for idempotent GET requests.

Cipher suites: cut from 300+ to 5

TLS 1.2 had hundreds of cipher suite combinations likeECDHE-RSA-AES256-GCM-SHA384. Each one bundled four choices: key exchange, authentication, cipher, MAC. Many were obsolete by the time they were standardized.

TLS 1.3 ships with exactly five suites:

Key exchange and authentication are negotiated separately and only one cipher family (AEAD) is allowed. The cipher suite reference shows which are recommended.

RSA key exchange: removed

In TLS 1.2 you could do RSA key exchange: the client encrypts a pre-master secret with the server's RSA public key. That's simple but has no forward secrecy β€” if the server's private key is ever compromised, every past recorded session can be decrypted.

TLS 1.3 forces (EC)DHE-only key exchange. Every session uses an ephemeral key pair generated for that session and thrown away after. Forward secrecy is no longer optional, no longer a checkbox β€” it's baked into the protocol.

Static RSA, RC4, 3DES, MD5, SHA-1, CBC mode: all gone

Every algorithm with known weaknesses or operational complexity got cut:

TLS 1.3 only ships AEAD ciphers (AES-GCM, ChaCha20-Poly1305, AES-CCM). These encrypt and authenticate in one operation; no separate MAC step, no padding oracle surface area.

What stays the same

Certificates work the same β€” your X.509 cert from Let's Encrypt or any CA works for both 1.2 and 1.3. Server Name Indication (SNI) works the same. ALPN for HTTP/2 and HTTP/3 negotiation works the same. The PKI is unchanged.

Should you turn off TLS 1.2?

For public web traffic, no. TLS 1.3 adoption is over 95% in modern browsers, but you'll still see TLS 1.2 from older email clients, embedded devices, and long-tail HTTP clients. Cutting 1.2 will break things in the long tail without meaningfully improving security β€” 1.2 with modern AEAD suites and forward secrecy is still strong.

The right config in 2026:

Test what you actually offer with SSL Labs or openssl s_client -connect host:443 -tls1_2 -cipher ALL.

Related tools

← All blog posts