Config option override_tls_ciphers only applies to HTTPS #8049
Description
Prerequisites
-
I have checked the Wiki and Discussions and found no answer
-
I have searched other issues and found no duplicates
-
I want to report a bug and not ask a question or ask for help
-
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Linux, AMD64 (aka x86_64)
Installation
Docker
Setup
On one machine
AdGuard Home version
v0.107.67
Action
Added following to AdGuardHome.yaml:
tls:
override_tls_ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Expected result
All TLS-wrapped services only offer the specified ciphers for TLS 1.2 (as TLS 1.3 ciphers are not configurable per Go's tls.Config).
Actual result
Only the HTTPS server seems to obey this configuration. DoT is not affected.
With the above config, HTTPS offers:
$ docker run --rm -it nablac0d3/sslyze --tlsv1_2 <agh_ip>:443
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 2 cipher suites:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 ECDH: secp256r1 (256 bits)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 ECDH: secp256r1 (256 bits)
However, with the same config (and without it), DoT offers:
$ docker run --rm -it nablac0d3/sslyze --tlsv1_2 <agh_ip>:853
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 5 cipher suites:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 ECDH: secp256r1 (256 bits)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 ECDH: secp256r1 (256 bits)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 ECDH: secp256r1 (256 bits)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 ECDH: secp256r1 (256 bits)
Additional information and/or screenshots
No response