Configure TLS ciphers
The following table lists recommended ciphers for TLS server setups, which should be used in wire deployments.
Cipher |
Version |
Wire default |
||
---|---|---|---|---|
ECDHE-ECDSA-AES128-GCM-SHA256 |
TLSv1.2 |
no |
yes |
intermediate |
ECDHE-RSA-AES128-GCM-SHA256 |
TLSv1.2 |
no |
yes |
intermediate |
ECDHE-ECDSA-AES256-GCM-SHA384 |
TLSv1.2 |
yes |
yes |
intermediate |
ECDHE-RSA-AES256-GCM-SHA384 |
TLSv1.2 |
yes |
yes |
intermediate |
ECDHE-ECDSA-CHACHA20-POLY1305 |
TLSv1.2 |
no |
no |
intermediate |
ECDHE-RSA-CHACHA20-POLY1305 |
TLSv1.2 |
no |
no |
intermediate |
TLS_AES_128_GCM_SHA256 |
TLSv1.3 |
yes |
yes |
modern |
TLS_AES_256_GCM_SHA384 |
TLSv1.3 |
yes |
yes |
modern |
TLS_CHACHA20_POLY1305_SHA256 |
TLSv1.3 |
no |
no |
modern |
Note
If you enable TLSv1.3, openssl does always enable the three default cipher suites for TLSv1.3. Therefore it is not necessary to add them to openssl based configurations.
Ingress Traffic (wire-server)
The list of TLS ciphers for incoming requests is limited by default to the following (for general server-certificates, both for federation and client API), and can be overridden on your installation if needed.
Egress Traffic (wire-server/federation)
The list of TLS ciphers for outgoing federation requests is currently hardcoded, the list is here.
SFTD (ansible)
The list of TLS ciphers for incoming SFT requests (and metrics) are defined in ansible templates sftd.vhost.conf.j2 and metrics.vhost.conf.j2.
SFTD (kubernetes)
SFTD deployed via kubernetes uses kubernetes.io/ingress
for ingress traffic, configured in ingress.yaml.
Kubernetes based deployments make use of the settings from Ingress Traffic (wire-server).
Restund (ansible)
The list of TLS ciphers for “TLS over TCP” TURN (and metrics) are defined in ansible templates nginx-stream.conf.j2 and nginx-metrics.conf.j2.
Restund (kubernetes)
Kubernetes restund deployment does not provide TLS connectivity.