Because of Grover's algorithm but also mostly because I was bored, I was curious if I could use only 256 bit ciphers on TLS1.3 on dustri.org..
TLS1.3 sucks way less than its predecessors for a myriad of reasons,
and the main one being that it got rid of a metric fuckton of legacy stuff,
allowing OpenSSL to only implement 5 ciphersuites,
with only 3 enabled by default:
TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_GCM_SHA256.
So the problem boils down to "how do I disable TLS_AES_128_GCM_SHA256?"
Because people tend to not read documentation, old cipher strings may have inadvertently disabled TLS1.3 ciphers, causing issues. This is why OpenSSL split the configuration mechanisms for TLS1.3 and TLS<1.3 in 2018.
Unfortunately, the nginx developers aren't happy with this,
calling it a band-aid, so they didn't bother making use of the new API,
meaning that it's impossible to tweak TLS1.3 ciphers on nginx with OpenSSL
via the ssl_ciphers option.
Enter ssl_conf_command,
allowing to directly set OpenSSL configuration
commands,
like the ciphersuites one for TLS1.3 ciphersuites,
not to be confused with cipher for TL1.2 and below.
Anyway, just slap ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
in your nginx configuration, and enjoy post-quantum ciphers for TLS1.3!
Apart from bragging rights this change is pretty useless, since:
- the key-exchange and the authentication aren't post-quantum
- the increased safety margin for multi-user setting is irrelevant thanks to TLS1.3's randomized nonces.