From 423b33805d51781c63780d797f0b67261da4a7b8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 28 Aug 2020 00:36:05 +0200
Subject: ssl cipher list prefer chacha20 for tls1.2

---
 chaos-at-home/ch-imap-proxy.yml          | 2 ++
 roles/nginx/base/files/snippets/tls.conf | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/chaos-at-home/ch-imap-proxy.yml b/chaos-at-home/ch-imap-proxy.yml
index f3fad1df..967d7613 100644
--- a/chaos-at-home/ch-imap-proxy.yml
+++ b/chaos-at-home/ch-imap-proxy.yml
@@ -39,6 +39,8 @@
         options = NO_SSLv3
         options = NO_TLSv1
         options = NO_TLSv1.1
+        options = CIPHER_SERVER_PREFERENCE
+        ciphers = ECDHE+CHACHA20:ECDHE+AESGCM:DHE+CHACHA20:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!SHA
         accept  = 993
         connect = 127.0.0.1:143
     notify: restart stunnel4
diff --git a/roles/nginx/base/files/snippets/tls.conf b/roles/nginx/base/files/snippets/tls.conf
index 46d43ecb..9c4f7853 100644
--- a/roles/nginx/base/files/snippets/tls.conf
+++ b/roles/nginx/base/files/snippets/tls.conf
@@ -1,5 +1,5 @@
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:!RSA:!ADH:!AECDH:!MD5;
+ssl_ciphers ECDHE+CHACHA20:ECDHE+AESGCM:DHE+CHACHA20:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!SHA;
 ssl_prefer_server_ciphers on;
 
 ssl_dhparam /etc/ssl/dhparams.pem;
-- 
cgit v1.2.3