Used ciphers for internet.nl changed

[bwbroersma]

In 'old' non docker config (still on batch) currently has:

# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_128_GCM_SHA256 (0x1301)
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)

While single (docker) test uses:

# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
# TLS 1.2 (server has no preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

Was this TLS ciphers and preference change on purpose?

BTW since there is a different root CA + the docker is using Let's Encrypt EC P-256 and batch is using Sectigo RSA 4096, the client simulation cannot really be compared I think.

[bwbroersma]

This was done by just picking a default config from https://ssl-config.mozilla.org/.

The current configuration: https://github.com/internetstandards/Internet.nl/blob/a469e4c151c1740d3f69e36235bc854b0099004a/docker/webserver/nginx_templates/app.conf.template#L138 compared with the current Mozilla intermediate config:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

The only difference I see is DHE-RSA-CHACHA20-POLY1305 that is listed in the Mozilla config.

Closing this issue, all good ciphers with a proper support (see https://wiki.mozilla.org/Security/Server_Side_TLS) is ok.