Prefer ChaCha20-Poly1305 in TLS 1.3 with nginx

TLS 1.3 defines a new format for cipher suites that is incompatible with previous versions of the protocol. Unfortunately, many applications today do not allow to specify the order of preference for those new cipher suites which leads to the default set by the underlying TLS library (which often happens to be OpenSSL).

Even though you cannot change the server-side preference for TLS 1.3 cipher suites within your application, you can change the defaults used by OpenSSL. In this blog post, I will briefly explain how to change the order of preference for TLS 1.3 cipher suites with OpenSSL and nginx. This method should also work for many other applications, such as Apache or Postfix, that utilize the default settings of OpenSSL.

Edit OpenSSL configuration file

On a typical Linux system, the configuration file for OpenSSL is located in /etc/ssl/openssl.cnf. Open it with your favorite text editor and add the following lines to the top of the file.

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
Options = ServerPreference

The Ciphersuites option defines the default cipher suites used in TLS 1.3. You can adapt the order here to suit your needs. Keep in mind that you should at least offer TLS_AES_128_GCM_SHA256 to stay compliant with RFC 8446 section 9.1. Save the changes to the file and finally restart your application (e.g. nginx). When a client negotiates TLS 1.3 with your server, the new preference will be used.

You can find more information on this topic here.