configed sslciphers not respected.

[eebssk1]

The issue

I configed sslCiphers=DHE-RSA-CHACHA20-POLY1305 in server ini to disable AES. However when starting server the following indicating it's not respected and clients still connecting with AES encryption.

2024-06-12 13:01:34.054 MetaParams: TLS cipher preference is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-CHACHA20-POLY1305" ### Mumble version 1.5.634 ### Mumble component Server ### OS Linux ### Additional information _No response_

[eebssk1]

I had to clear tls1.3 and unintended ciphers in openssl.cnf to make it work.

[Krzmbrzl]

openssl.cnf as in the OpenSSL config file? The intended way is that this is not required :thinking:

Does the Mumble config setting (without changed OpenSSL config) come into effect when you create a fresh server (that doesn't reuse the old's database)?

[eebssk1]

openssl.cnf as in the OpenSSL config file? The intended way is that this is not required 🤔

Does the Mumble config setting (without changed OpenSSL config) come into effect when you create a fresh server (that doesn't reuse the old's database)?

So I digged a little.

It looks like official client does not support chacha20 in (EC)DHE mode. And it seems the sslciphers config options does not accept ciphersuit name. Which means the only way for me is to remove the AES one from openssl.cnf ciphersuit so chacha20 one is the prefered. Maybe it's better to seprate the config options for TLS1.3 and TLS1.2_and_older, as indicated by openssl that they are unrelated.

[eebssk1]

So for clafirication. I'm still using TLS 1.3 but with only chacha20 one. I removed AES ciphersuit from openssl.cnf since mumble config does not regconise ciphersuit name which means i can not set the preference there.