pissnet/pissircd
1
0
Fork 0
mirror of https://github.com/pissnet/pissircd.git synced 2025-08-06 10:15:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Default TLS ciphers: drop support for AES in CBC mode, only allow AES w/GCM.

Browse source 
For reference, the established TLS connections at irc*.unrealircd.org
over the past 6 months were:
  14379 TLSv1.3-TLS_CHACHA20_POLY1305_SHA256
    368 TLSv1.2-ECDHE-ECDSA-AES256-GCM-SHA384
    160 TLSv1.2-ECDHE-ECDSA-CHACHA20-POLY1305
      3 TLSv1.3-TLS_AES_256_GCM_SHA384

There is nobody connecting with AES CBC in those statistics
(ECDHE-ECDSA-AES256-SHA256 and ECDHE-ECDSA-AES128-SHA384)
This commit is contained in:
Bram Matthys 2024-11-17 13:08:46 +01:00
parent 3317be3069
commit 492152f9ea
No known key found for this signature in database
GPG key ID: BF8116B163EAAE98
1 changed files with 1 additions and 1 deletions

2
include/config.h
View file

@ -258,7 +258,7 @@
/* Default TLS cipherlist (except for TLS1.3, see further down).
* This can be changed via set::ssl::options::ciphers in the config file.
*/
#define UNREALIRCD_DEFAULT_CIPHERS "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256"
#define UNREALIRCD_DEFAULT_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256"
/* Default TLS 1.3 ciphersuites.
* This can be changed via set::ssl::options::ciphersuites in the config file.