Does Caddy support configuring the TLS 1.2 protocol and specific ciphers?

Vijaya_Rani · December 3, 2024, 10:58am

1. The problem I’m having:

My Caddyfile configuration as follows
localhost:7443 {
bind 127.0.0.1
tls /etc/caddy/caddy-cert.pem /etc/caddy/caddy-key.pem {
protocols tls1.2
ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
}
}
According to the configuration, TLS 1.2 should be used with the ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 . However, the issue is that Caddy is still sending the protocol TLS 1.2 with the following cipher suites:

Transmission Control Protocol, Src Port: 41834, Dst Port: 7443, Seq: 1, Ack: 1, Len: 245
Transport Layer Security
TLSv1.3 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 240
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 236
Version: TLS 1.2 (0x0303)
[Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
Random: e6ea06a00d558f07fd2056dfda082126bc533724348eb7d0de3cfb4de2f132fc
Session ID Length: 32
Session ID: 3754d9355b9c1018d34ea6632268e513fc189fe6cef46a2122bfc1cf8a337270
Cipher Suites Length: 22
Cipher Suites (11 suites)
** Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)**
** Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)**
** Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)**
** Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)**
** Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)**
** Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)**
** Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)**
** Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)**
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 141
Extension: server_name (len=14) name=localhost
Extension: status_request (len=5)
Extension: supported_groups (len=10)
Extension: ec_point_formats (len=2)
Extension: signature_algorithms (len=26)
Extension: renegotiation_info (len=1)
Extension: extended_master_secret (len=0)
Extension: signed_certificate_timestamp (len=0)
Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
Extension: key_share (len=38) x25519
[JA4: t13d111000_cafd58515627_e7c285222651]
[JA4_r: t13d111000_1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017,002b,0033,ff01_0804,0403,0807,0805,0806,0401,0501,0601,0503,0603,0201,0203]
[JA3 Fullstring: 771,49195-49199-49196-49200-49161-49171-49162-49172-4865-4866-4867,0-5-10-11-13-65281-23-18-43-51,29-23-24-25,0]
[JA3: 7d5bcc24bfbc7bbcd9c3056588dc2f69]

Thanks & Regards,
Vijaya

francislavoie · December 4, 2024, 6:53am

I don’t understand. You’ll need to explain more clearly your goals and the problem you’re trying to solve.

In general, you really should not configure TLS ciphers or versions. Caddy’s defaults are modern, secure, and compatible. Both those ciphers you mentioned are enabled by default, so there’s no reason to try and override it.

Please completely fill out the help topic template as per the forum rules.

system · January 3, 2025, 6:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.