From e2daa5eb66a448537d9462880791872450e933cc Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Tue, 24 Mar 2026 00:11:44 +0100
Subject: [PATCH] tlsconfig: add ChaCha20-Poly1305 cipher suites
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The tlsconfig package provides a curated set of ciphers, with insecure
ciphers removed; originally because Go stdlib included all ciphers by
default (including insecure ones). Current versions of Go provide a much
saner set of defaults, that closely matches the defaults as set in the
tlsconfig package in this module;

- Go 1.8 added ChaCha20-Poly1305 cipher suites
- Go 1.22 removed RSA key-exchange suites from default list
- Go 1.23 removed 3DES suites from default list

| cipher                                        | go-connections       | stdlib defaults    |
|-----------------------------------------------|----------------------|--------------------|
| TLS_RSA_WITH_AES_128_GCM_SHA256               | ✗ (insecure)         | ✗ (since go1.22)   |
| TLS_RSA_WITH_AES_256_GCM_SHA384               | ✗ (insecure)         | ✗ (since go1.22)   |
| TLS_RSA_WITH_AES_128_CBC_SHA                  | ✗ (insecure)         | ✗ (since go1.22)   |
| TLS_RSA_WITH_AES_256_CBC_SHA                  | ✗ (insecure)         | ✗ (since go1.22)   |
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           | ✗ (insecure)         | ✗ (since go1.23)   |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          | ✗ (legacy, non-AEAD) | ✓                  |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          | ✗ (legacy, non-AEAD) | ✓                  |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            | ✗ (legacy, non-AEAD) | ✓                  |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            | ✗ (legacy, non-AEAD) | ✓                  |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       | ✓                    | ✓                  |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       | ✓                    | ✓                  |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         | ✓                    | ✓                  |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         | ✓                    | ✓                  |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   | ✗                    | ✓ (added in go1.8) |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ✗                    | ✓ (added in go1.8) |

From the above table, differences are;

- Go still includes legacy, non-AEAD (TLS 1.2 CBC suites); these are still considered safe,
  but superseded by AEAD ciphers (AES-GCM, ChaCha20) and mainly retained for compatibility.
- Go 1.8 and up added ChaCha20-Poly1305 cipher suites (see https://go-review.googlesource.com/c/go/+/30958).

This patch adds the ChaCha20-Poly1305 cipher suites to align closer with the
set of cipher suites provided by default in Go stdlib.

Note that this only impacts TLS 1.2 (and older, but we don't allow TLS 1.1);
for TLS 1.3, Go does not allow overriding the list of supported ciphers.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 tlsconfig/config.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tlsconfig/config.go b/tlsconfig/config.go
index 8b0264f6..7b788c8c 100644
--- a/tlsconfig/config.go
+++ b/tlsconfig/config.go
@@ -47,6 +47,8 @@ var defaultCipherSuites = []uint16{
 	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 }
 
 // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.