aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2021-11-03 12:23:29 +0100
committerKim Alvefur <zash@zash.se>2021-11-03 12:23:29 +0100
commit99a73bdcf62f76d3111e1a25710ff772d35ff1ac (patch)
treed9a5e2d4f801d6ba41c165bb10b04a3c73017358
parentd2ff8032626bb17d332b4e9047c8cc0f0b39fec7 (diff)
downloadprosody-99a73bdcf62f76d3111e1a25710ff772d35ff1ac.tar.gz
prosody-99a73bdcf62f76d3111e1a25710ff772d35ff1ac.zip
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
-rw-r--r--core/certmanager.lua8
1 files changed, 7 insertions, 1 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua
index bdfefce3..a2d76671 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -248,11 +248,14 @@ local core_defaults = {
}
local mozilla_ssl_configs = {
- -- As of 2019-12-22
+ -- https://wiki.mozilla.org/Security/Server_Side_TLS
+ -- As of 2021-11-03
modern = {
protocol = "tlsv1_3";
options = { cipher_server_preference = false };
ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
+ curveslist = { "X25519"; "prime256v1"; "secp384r1" };
+ ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
};
intermediate = {
protocol = "tlsv1_2+";
@@ -268,6 +271,8 @@ local mozilla_ssl_configs = {
"DHE-RSA-AES128-GCM-SHA256";
"DHE-RSA-AES256-GCM-SHA384";
};
+ curveslist = { "X25519"; "prime256v1"; "secp384r1" };
+ ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
};
old = {
protocol = "tlsv1+";
@@ -301,6 +306,7 @@ local mozilla_ssl_configs = {
"AES256-SHA";
"DES-CBC3-SHA";
};
+ ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
};
};