Skip to content

Commit c672f2b

Browse files
daurnimatordaurnimator
committed
http/tls: update to new mozilla recommendations
This updates to the Mozilla page (https://wiki.mozilla.org/Security/Server_Side_TLS) v5.7
1 parent ddab283 commit c672f2b

File tree

1 file changed

+31
-57
lines changed

1 file changed

+31
-57
lines changed

http/tls.lua

Lines changed: 31 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -19,91 +19,52 @@ end
1919

2020
-- "Modern" cipher list
2121
local modern_cipher_list = cipher_list {
22-
"ECDHE-ECDSA-AES256-GCM-SHA384";
23-
"ECDHE-RSA-AES256-GCM-SHA384";
24-
"ECDHE-ECDSA-CHACHA20-POLY1305";
25-
"ECDHE-RSA-CHACHA20-POLY1305";
26-
"ECDHE-ECDSA-AES128-GCM-SHA256";
27-
"ECDHE-RSA-AES128-GCM-SHA256";
28-
"ECDHE-ECDSA-AES256-SHA384";
29-
"ECDHE-RSA-AES256-SHA384";
30-
"ECDHE-ECDSA-AES128-SHA256";
31-
"ECDHE-RSA-AES128-SHA256";
22+
"TLS_AES_128_GCM_SHA256";
23+
"TLS_AES_256_GCM_SHA384";
24+
"TLS_CHACHA20_POLY1305_SHA256";
3225
}
3326

3427
-- "Intermediate" cipher list
3528
local intermediate_cipher_list = cipher_list {
36-
"ECDHE-ECDSA-CHACHA20-POLY1305";
37-
"ECDHE-RSA-CHACHA20-POLY1305";
3829
"ECDHE-ECDSA-AES128-GCM-SHA256";
3930
"ECDHE-RSA-AES128-GCM-SHA256";
4031
"ECDHE-ECDSA-AES256-GCM-SHA384";
4132
"ECDHE-RSA-AES256-GCM-SHA384";
33+
"ECDHE-ECDSA-CHACHA20-POLY1305";
34+
"ECDHE-RSA-CHACHA20-POLY1305";
4235
"DHE-RSA-AES128-GCM-SHA256";
4336
"DHE-RSA-AES256-GCM-SHA384";
44-
"ECDHE-ECDSA-AES128-SHA256";
45-
"ECDHE-RSA-AES128-SHA256";
46-
"ECDHE-ECDSA-AES128-SHA";
47-
"ECDHE-RSA-AES256-SHA384";
48-
"ECDHE-RSA-AES128-SHA";
49-
"ECDHE-ECDSA-AES256-SHA384";
50-
"ECDHE-ECDSA-AES256-SHA";
51-
"ECDHE-RSA-AES256-SHA";
52-
"DHE-RSA-AES128-SHA256";
53-
"DHE-RSA-AES128-SHA";
54-
"DHE-RSA-AES256-SHA256";
55-
"DHE-RSA-AES256-SHA";
56-
"ECDHE-ECDSA-DES-CBC3-SHA";
57-
"ECDHE-RSA-DES-CBC3-SHA";
58-
"EDH-RSA-DES-CBC3-SHA";
59-
"AES128-GCM-SHA256";
60-
"AES256-GCM-SHA384";
61-
"AES128-SHA256";
62-
"AES256-SHA256";
63-
"AES128-SHA";
64-
"AES256-SHA";
65-
"DES-CBC3-SHA";
66-
"!DSS";
37+
"DHE-RSA-CHACHA20-POLY1305";
6738
}
6839

6940
-- "Old" cipher list
7041
local old_cipher_list = cipher_list {
71-
"ECDHE-ECDSA-CHACHA20-POLY1305";
72-
"ECDHE-RSA-CHACHA20-POLY1305";
73-
"ECDHE-RSA-AES128-GCM-SHA256";
7442
"ECDHE-ECDSA-AES128-GCM-SHA256";
75-
"ECDHE-RSA-AES256-GCM-SHA384";
43+
"ECDHE-RSA-AES128-GCM-SHA256";
7644
"ECDHE-ECDSA-AES256-GCM-SHA384";
45+
"ECDHE-RSA-AES256-GCM-SHA384";
46+
"ECDHE-ECDSA-CHACHA20-POLY1305";
47+
"ECDHE-RSA-CHACHA20-POLY1305";
7748
"DHE-RSA-AES128-GCM-SHA256";
78-
"DHE-DSS-AES128-GCM-SHA256";
79-
"kEDH+AESGCM";
80-
"ECDHE-RSA-AES128-SHA256";
49+
"DHE-RSA-AES256-GCM-SHA384";
50+
"DHE-RSA-CHACHA20-POLY1305";
8151
"ECDHE-ECDSA-AES128-SHA256";
82-
"ECDHE-RSA-AES128-SHA";
52+
"ECDHE-RSA-AES128-SHA256";
8353
"ECDHE-ECDSA-AES128-SHA";
84-
"ECDHE-RSA-AES256-SHA384";
54+
"ECDHE-RSA-AES128-SHA";
8555
"ECDHE-ECDSA-AES256-SHA384";
86-
"ECDHE-RSA-AES256-SHA";
56+
"ECDHE-RSA-AES256-SHA384";
8757
"ECDHE-ECDSA-AES256-SHA";
58+
"ECDHE-RSA-AES256-SHA";
8859
"DHE-RSA-AES128-SHA256";
89-
"DHE-RSA-AES128-SHA";
90-
"DHE-DSS-AES128-SHA256";
9160
"DHE-RSA-AES256-SHA256";
92-
"DHE-DSS-AES256-SHA";
93-
"DHE-RSA-AES256-SHA";
94-
"ECDHE-RSA-DES-CBC3-SHA";
95-
"ECDHE-ECDSA-DES-CBC3-SHA";
96-
"EDH-RSA-DES-CBC3-SHA";
9761
"AES128-GCM-SHA256";
9862
"AES256-GCM-SHA384";
9963
"AES128-SHA256";
10064
"AES256-SHA256";
10165
"AES128-SHA";
10266
"AES256-SHA";
103-
"AES";
10467
"DES-CBC3-SHA";
105-
"HIGH";
106-
"SEED";
10768
"!aNULL";
10869
"!eNULL";
10970
"!EXPORT";
@@ -458,6 +419,15 @@ local spec_to_openssl = {
458419
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-PSK-CHACHA20-POLY1305";
459420
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "DHE-PSK-CHACHA20-POLY1305";
460421
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = "RSA-PSK-CHACHA20-POLY1305";
422+
423+
424+
-- TLS v1.3 cipher suites
425+
426+
TLS_AES_128_GCM_SHA256 = "TLS_AES_128_GCM_SHA256";
427+
TLS_AES_256_GCM_SHA384 = "TLS_AES_256_GCM_SHA384";
428+
TLS_CHACHA20_POLY1305_SHA256 = "TLS_CHACHA20_POLY1305_SHA256";
429+
TLS_AES_128_CCM_SHA256 = "TLS_AES_128_CCM_SHA256";
430+
TLS_AES_128_CCM_8_SHA256 = "TLS_AES_128_CCM_8_SHA256";
461431
}
462432

463433
-- Banned ciphers from https://http2.github.io/http2-spec/#BadCipherSuites
@@ -750,13 +720,17 @@ local default_tls_options = openssl_ctx.OP_NO_COMPRESSION
750720
+ openssl_ctx.OP_SINGLE_ECDH_USE
751721
+ openssl_ctx.OP_NO_SSLv2
752722
+ openssl_ctx.OP_NO_SSLv3
723+
+ openssl_ctx.OP_NO_SSLv3
724+
+ openssl_ctx.OP_NO_TLSv1
725+
+ openssl_ctx.OP_NO_TLSv1_1
726+
+ openssl_ctx.OP_NO_TICKET
753727

754728
local function new_client_context()
755729
local ctx = openssl_ctx.new("TLS", false)
756730
ctx:setCipherList(intermediate_cipher_list)
757731
ctx:setOptions(default_tls_options)
758732
if ctx.setGroups then
759-
ctx:setGroups("P-521:P-384:P-256")
733+
ctx:setGroups("P-521:P-384:P-256:X25519")
760734
else
761735
ctx:setEphemeralKey(openssl_pkey.new{ type = "EC", curve = "prime256v1" })
762736
end
@@ -771,7 +745,7 @@ local function new_server_context()
771745
ctx:setCipherList(intermediate_cipher_list)
772746
ctx:setOptions(default_tls_options)
773747
if ctx.setGroups then
774-
ctx:setGroups("P-521:P-384:P-256")
748+
ctx:setGroups("P-521:P-384:P-256:X25519")
775749
else
776750
ctx:setEphemeralKey(openssl_pkey.new{ type = "EC", curve = "prime256v1" })
777751
end

0 commit comments

Comments
 (0)