From 7d68ea0570103d4efa101796bc58d765e5ada99d Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Fri, 11 Jan 2019 09:19:44 +0100 Subject: [PATCH] Update default ciphers, or actually only the ones not providing PFS, by preferring AES-256 over AES-128 (in contrast to the Mozilla "intermediate" profile which prefers AES-128). Again, this only affects non-PFS cases, as all modern clients with PFS already had CHACHA20 and AES-256 negotiated. The portion of non-PFS clients should only be few percent, if any. I was actually considering removing non-PFS ciphersuites but it seems a bit early to do so, at least not without more research on affected clients. --- include/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/config.h b/include/config.h index c476b24d5..0890a4cca 100644 --- a/include/config.h +++ b/include/config.h @@ -316,7 +316,7 @@ /* Default SSL/TLS cipherlist (except for TLS1.3, see further down). * This can be changed via set::ssl::options::ciphers in the config file. */ -#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-128-GCM-SHA256 TLS13-AES-256-GCM-SHA384 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA" +#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA" /* Default TLS 1.3 ciphersuites. * This can be changed via set::ssl::options::ciphersuites in the config file.