Artificial truth

archives | latest | homepage

The more you see, the less you believe.

Disabling 128 bits ciphers on TLS1.3 on nginx
Wed 14 July 2021 — download

Because of Grover's algorithm but also mostly because I was bored, I was curious if I could use only 256 bit ciphers on TLS1.3 on

TLS1.3 sucks way less than its predecessors for a myriad of reasons, and the main one being that it got rid of a metric fuckton of legacy stuff, allowing OpenSSL to only implement 5 ciphersuites, with only 3 enabled by default: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_GCM_SHA256.

So the problem boils down to "how do I disable TLS_AES_128_GCM_SHA256?"

Because people tend to not read documentation, old cipher strings may have inadvertently disabled TLS1.3 ciphers, causing issues. This is why OpenSSL split the configuration mechanisms for TLS1.3 and TLS<1.3 in 2018.

Unfortunately, the nginx developers aren't happy with this, calling it a band-aid, so they didn't bother making use of the new API, meaning that it's impossible to tweak TLS1.3 ciphers on nginx with OpenSSL via the ssl_ciphers option.

Enter ssl_conf_command, allowing to directly set OpenSSL configuration commands, like the ciphersuites one for TLS1.3 ciphersuites, not to be confused with cipher for TL1.2 and below.

Anyway, just slap ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; in your nginx configuration, and enjoy post-quantum ciphers for TLS1.3!

Apart from bragging rights this change is pretty useless, since: