[Feature Request] Support more cipher suites like in dnscrypt-proxy

[spacesynth]

Hello, I am using this to directly connect to my browser, à la recursive unbound <--> doh-server <--> firefox. Whilst it works amazing, I'd love support for TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 to be added to the crypto primitives, as the server side runs on an ARM SBC.

I am suggesting a preferred cryptographic cipher flag in the means of -s, --cipher-suite followed by an integer representing the cipher.

## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##  4865 = TLS_AES_128_GCM_SHA256
##  4867 = TLS_CHACHA20_POLY1305_SHA256

Preferably all of them. If this is stupid or you are occupied with more important tasks and must close this issue, do not hesitate. I will be able to respect it.

[jedisct1]

ECDSA with ChaChaPoly is already supported.

If Firefox isn't automatically picking an optimal cipher suite for your hardware, maybe that can be changed in its configuration?

I don't use Firefox due to security concerns but some discussions suggests that there are such settings. Not sure how that applies to TLS 1.3, but looking for keywords such as "cipher" may return properties that can be changed.

[spacesynth]

Same, actually. I don't use Chrome due to proven security issues.

https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452 https://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224

https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-best-on-Firefox

I've mitigated it in the meantime. It's all good.

If Firefox isn't automatically picking an optimal cipher suite for your hardware, maybe that can be changed in its configuration?

It does on every other website that supports all ciphers. Must be a negotiation problem.