Diff

core/certmanager.lua @ 12097:9c794d5f6f8d

core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
author Kim Alvefur <zash@zash.se>
date Wed, 03 Nov 2021 12:23:29 +0100
parent 12096:dfb29b5b0a57
child 12098:9591b838e3b0
line wrap: on
line diff
--- a/core/certmanager.lua	Sun Dec 22 02:25:37 2019 +0100
+++ b/core/certmanager.lua	Wed Nov 03 12:23:29 2021 +0100
@@ -248,11 +248,14 @@
 }
 
 local mozilla_ssl_configs = {
-	-- As of 2019-12-22
+	-- https://wiki.mozilla.org/Security/Server_Side_TLS
+	-- As of 2021-11-03
 	modern = {
 		protocol = "tlsv1_3";
 		options = { cipher_server_preference = false };
 		ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
+		curveslist = { "X25519"; "prime256v1"; "secp384r1" };
+		ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
 	};
 	intermediate = {
 		protocol = "tlsv1_2+";
@@ -268,6 +271,8 @@
 			"DHE-RSA-AES128-GCM-SHA256";
 			"DHE-RSA-AES256-GCM-SHA384";
 		};
+		curveslist = { "X25519"; "prime256v1"; "secp384r1" };
+		ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
 	};
 	old = {
 		protocol = "tlsv1+";
@@ -301,6 +306,7 @@
 			"AES256-SHA";
 			"DES-CBC3-SHA";
 		};
+		ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
 	};
 };