How to configure allowed cipher suites?

[lstwn]

For a university project I need to configure TLS to only use the TLS_CHACHA20_POLY1305_SHA256 cipher suite. I've seen that I can provide a custom BoringSSL Context when initializing the quiche config by using quiche::Config::with_boring_ssl_ctx(version, ssl_ctx).

However, I'm not even really sure if this is the right approach to restrict TLS to a concrete cipher suite or a set of cipher suites. If it was, could you provide me an example how to create such a custom BoringSSL context? I could not figure that out by going through the docs of the Boring SSL crate, unfortunately.

I appreciate any pointers and help! Thanks in advance :)

[parthibx24]

@lstwn hello, did you find a way to change the cipher suite? I too need it to use tls 1.3!

[lstwn]

Unfortunately, no, I gave up after a while..

[gierens]

Unfortunately this is not possible for the given cipher or TLS 1.3 in general, as the underlying C library, BoringSSL, does not implement this functionality. Citing from its documentation:

"TLS 1.3 ciphers do not participate in this mechanism and instead have a built-in preference order. Functions to set cipher lists do not affect TLS 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers."