Title: Disabling 128 bits ciphers on TLS1.3 on nginx Date: 2021-07-14 17:30 Because of [Grover's algorithm]( https://en.wikipedia.org/wiki/Grover%27s_algorithm ) but also mostly because I was bored, I was curious if I could use only 256 bit ciphers on TLS1.3 on [dustri.org.](https://www.ssllabs.com/ssltest/analyze.html?d=dustri.org). TLS1.3 sucks way less than its predecessors for a myriad of reasons, and the main one being that it got rid of a metric fuckton of legacy stuff, allowing OpenSSL to only implement [5 ciphersuites](https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites), with only 3 enabled by default: `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256` and `TLS_AES_128_GCM_SHA256`. So the problem boils down to "how do I disable `TLS_AES_128_GCM_SHA256`?" Because people tend to not read documentation, old cipher strings may have inadvertently disabled TLS1.3 ciphers, causing issues. This is why OpenSSL [split](https://github.com/openssl/openssl/commit/f865b08143b453962ad4afccd69e698d13c60f77) the configuration mechanisms for TLS1.3 and TLS<1.3 in 2018. Unfortunately, the nginx developers [aren't happy with this](https://trac.nginx.org/nginx/ticket/1529), calling it a band-aid, so they didn't bother making use of the new API, meaning that it's impossible to tweak TLS1.3 ciphers on nginx with OpenSSL via the [`ssl_ciphers`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) option. Enter [`ssl_conf_command`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_conf_command), allowing to directly set OpenSSL configuration [commands](https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html), like the `ciphersuites` one for TLS1.3 ciphersuites, not to be confused with `cipher` for TL1.2 and below. Anyway, just slap `ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;` in your nginx configuration, and enjoy *post-quantum ciphers* for TLS1.3! Apart from bragging rights this change is pretty useless, since: - the key-exchange and the authentication aren't [post-quantum](https://en.wikipedia.org/wiki/Post-quantum_cryptography) - the increased safety margin for multi-user setting is irrelevant thanks to [TLS1.3's randomized nonces](https://eprint.iacr.org/2020/1044.pdf).