[PATCH 0 of 3] QUIC ciphers cleanup and CCM support

Sergey Kandaurov pluknet at nginx.com
Fri Jun 16 23:44:38 UTC 2023


> On 9 Jun 2023, at 11:12, Roman Arutyunyan <arut at nginx.com> wrote:
> 
> Patches 1 & 2 do minor cleanup in encryption code.
> 
> Patch 3 adds TLS_AES_128_CCM_SHA256 support to QUIC, which currently is the
> only cipher suite not supported by nginx QUIC implementation.  It's disabled
> by default in OpenSSL and can be enabled by the following directive:
> 
>    ssl_conf_command Ciphersuites TLS_AES_128_CCM_SHA256;

Note that it is disabled in Crome and Firefox, further limiting its use.
https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=73
https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=80
(same for FF 114 and Chrome 114 latest versions).

It appears to be enabled though in RHEL and derivatives:
https://www.redhat.com/en/blog/transport-layer-security-version-13-red-hat-enterprise-linux-8

/etc/crypto-policies/back-ends/opensslcnf.config:
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

-- 
Sergey Kandaurov


More information about the nginx-devel mailing list