Reading a cipher suite name
Take TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: it uses ECDHE (Elliptic-Curve Diffie-Hellman Ephemeral) for key exchange, RSA for authentication, AES-256-GCM for bulk encryption, and SHA-384 for the PRF/HMAC. Each component matters. ECDHE provides forward secrecy, even if the server's private key is later compromised, past sessions cannot be decrypted. GCM is an AEAD mode that provides both confidentiality and integrity without a separate MAC.
TLS 1.3 ciphers
TLS 1.3 reduces the cipher list to just five options, all of which are AEAD and provide forward secrecy by default. The key exchange and authentication are negotiated separately, so the cipher name only specifies the AEAD algorithm and hash: e.g. TLS_AES_256_GCM_SHA384. If you're running a server that only serves modern clients, disable TLS 1.2 and below and your cipher list becomes trivial.
What to disable first
Disable any cipher with RC4 (broken), DES or 3DES (SWEET32 attack), NULL (no encryption), EXPORT (intentionally weak), or MD5 (collision attacks). Then disable static RSA key exchange (no forward secrecy). You can validate your server's cipher list at SSL Labs or with nmap --script ssl-enum-ciphers -p 443 TARGET.
Mozilla recommendations
Mozilla's SSL Configuration Generator at ssl-config.mozilla.org provides ready-to-paste nginx/Apache/HAProxy configs for Modern, Intermediate, and Old compatibility profiles. Modern means TLS 1.3 only; Intermediate is the practical choice for most web servers.