# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1635938609 -3600
# Node ID 9c794d5f6f8db4ef207d390d66df8bfa05f13c0d
# Parent  dfb29b5b0a57126be547eb609472deef0431955c
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets

diff -r dfb29b5b0a57 -r 9c794d5f6f8d core/certmanager.lua
--- a/core/certmanager.lua	Sun Dec 22 02:25:37 2019 +0100
+++ b/core/certmanager.lua	Wed Nov 03 12:23:29 2021 +0100
@@ -248,11 +248,14 @@
 }
 
 local mozilla_ssl_configs = {
-	-- As of 2019-12-22
+	-- https://wiki.mozilla.org/Security/Server_Side_TLS
+	-- As of 2021-11-03
 	modern = {
 		protocol = "tlsv1_3";
 		options = { cipher_server_preference = false };
 		ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
+		curveslist = { "X25519"; "prime256v1"; "secp384r1" };
+		ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
 	};
 	intermediate = {
 		protocol = "tlsv1_2+";
@@ -268,6 +271,8 @@
 			"DHE-RSA-AES128-GCM-SHA256";
 			"DHE-RSA-AES256-GCM-SHA384";
 		};
+		curveslist = { "X25519"; "prime256v1"; "secp384r1" };
+		ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
 	};
 	old = {
 		protocol = "tlsv1+";
@@ -301,6 +306,7 @@
 			"AES256-SHA";
 			"DES-CBC3-SHA";
 		};
+		ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
 	};
 };