From 2d3b825d0876f639b68ee1d0cb5c356f7268991c Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 29 Jul 2017 02:55:08 +0100
Subject: [PATCH] config.m4: Fiddle with the ciphersuite settings.

Enable the fancy elliptic curve toys, AEAD schemes, and general
djbishness.  Also, take an interest in the ordering of ciphers in the
`acceptable' list.
---
 config.m4 | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/config.m4 b/config.m4
index ac764c4..1731d59 100644
--- a/config.m4
+++ b/config.m4
@@ -85,14 +85,24 @@ DEFCONF(relay_clients, <m4_dnl
 ## nobody can verify our certificate anyway.
 DEFCONF(good_ciphers, NONE<::>m4_dnl
 :+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
-:+DHE-RSA:+DHE-DSS<::>m4_dnl
-:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256:+SHA384:+SHA512:+SHA1<::>m4_dnl
-:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
+:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
+:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
+:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
+:+SIGN-DSA-SHA256<::>m4_dnl
+:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
 :+CTYPE-X.509<::>m4_dnl
 :+COMP-NULL<::>m4_dnl
 )
-DEFCONF(acceptable_ciphers, NORMAL<::>m4_dnl
+DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
+:+CURVE-X25519<::>m4_dnl
+:+AEAD<::>m4_dnl
+:+NORMAL<::>m4_dnl
 :-MD5<::>m4_dnl
 )
 
-- 
2.11.0