From 99a73bdcf62f76d3111e1a25710ff772d35ff1ac Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 3 Nov 2021 12:23:29 +0100 Subject: core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets --- core/certmanager.lua | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index bdfefce3..a2d76671 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -248,11 +248,14 @@ local core_defaults = { } local mozilla_ssl_configs = { - -- As of 2019-12-22 + -- https://wiki.mozilla.org/Security/Server_Side_TLS + -- As of 2021-11-03 modern = { protocol = "tlsv1_3"; options = { cipher_server_preference = false }; ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these + curveslist = { "X25519"; "prime256v1"; "secp384r1" }; + ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; }; intermediate = { protocol = "tlsv1_2+"; @@ -268,6 +271,8 @@ local mozilla_ssl_configs = { "DHE-RSA-AES128-GCM-SHA256"; "DHE-RSA-AES256-GCM-SHA384"; }; + curveslist = { "X25519"; "prime256v1"; "secp384r1" }; + ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; }; old = { protocol = "tlsv1+"; @@ -301,6 +306,7 @@ local mozilla_ssl_configs = { "AES256-SHA"; "DES-CBC3-SHA"; }; + ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; }; }; -- cgit v1.2.3