Add Modern cipher suites and deprecate legacy TLS (#1283)

Update the :strong and :compatible cipher suite upgrades to align with modern
security standards, prioritizing TLS 1.3 and 1.2. Remove support for the insecure
TLS 1.0 and 1.1 protocols in accordance with RFC 8996.

Author: nortosem

lib/plug/ssl.ex

@@ -75,34 +75,30 @@ defmodule Plug.SSL do
   import Plug.Conn
 
   @strong_tls_ciphers [
-    ~c"ECDHE-RSA-AES256-GCM-SHA384",
-    ~c"ECDHE-ECDSA-AES256-GCM-SHA384",
-    ~c"ECDHE-RSA-AES128-GCM-SHA256",
-    ~c"ECDHE-ECDSA-AES128-GCM-SHA256",
-    ~c"DHE-RSA-AES256-GCM-SHA384",
-    ~c"DHE-RSA-AES128-GCM-SHA256"
+    # TLS 1.3 Ciphersuites
+    ~c"TLS_AES_256_GCM_SHA384",
+    ~c"TLS_CHACHA20_POLY1305_SHA256",
+    ~c"TLS_AES_128_GCM_SHA256"
   ]
 
   @compatible_tls_ciphers [
-    ~c"ECDHE-RSA-AES256-GCM-SHA384",
+    # TLS 1.3 Ciphersuites
+    ~c"TLS_AES_256_GCM_SHA384",
+    ~c"TLS_CHACHA20_POLY1305_SHA256",
+    ~c"TLS_AES_128_GCM_SHA256",
+    # TLS 1.2 Ciphersuites
     ~c"ECDHE-ECDSA-AES256-GCM-SHA384",
-    ~c"ECDHE-RSA-AES128-GCM-SHA256",
+    ~c"ECDHE-RSA-AES256-GCM-SHA384",
+    ~c"ECDHE-ECDSA-CHACHA20-POLY1305",
+    ~c"ECDHE-RSA-CHACHA20-POLY1305",
     ~c"ECDHE-ECDSA-AES128-GCM-SHA256",
+    ~c"ECDHE-RSA-AES128-GCM-SHA256",
     ~c"DHE-RSA-AES256-GCM-SHA384",
-    ~c"DHE-RSA-AES128-GCM-SHA256",
-    ~c"ECDHE-RSA-AES256-SHA384",
-    ~c"ECDHE-ECDSA-AES256-SHA384",
-    ~c"ECDHE-RSA-AES128-SHA256",
-    ~c"ECDHE-ECDSA-AES128-SHA256",
-    ~c"DHE-RSA-AES256-SHA256",
-    ~c"DHE-RSA-AES128-SHA256",
-    ~c"ECDHE-RSA-AES256-SHA",
-    ~c"ECDHE-ECDSA-AES256-SHA",
-    ~c"ECDHE-RSA-AES128-SHA",
-    ~c"ECDHE-ECDSA-AES128-SHA"
+    ~c"DHE-RSA-AES128-GCM-SHA256"
   ]
 
   @eccs [
+    :x25519,
     :secp256r1,
     :secp384r1,
     :secp521r1
@@ -137,30 +133,23 @@ defmodule Plug.SSL do
 
   To simplify configuration of TLS defaults, this function provides two preconfigured
   options: `cipher_suite: :strong` and `cipher_suite: :compatible`. The Ciphers
-  chosen and related configuration come from the [OWASP Cipher String Cheat
-  Sheet](https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet)
-
-  We've made two modifications to the suggested config from the OWASP recommendations.
-  First we include ECDSA certificates which are excluded from their configuration.
-  Second we have changed the order of the ciphers to deprioritize DHE because of
-  performance implications noted within the OWASP post itself. As the article notes
-  "...the TLS handshake with DHE hinders the CPU about 2.4 times more than ECDHE".
-
-  The **Strong** cipher suite only supports tlsv1.2. Ciphers were based on the OWASP
-  Group A+ and includes support for RSA or ECDSA certificates. The intention of this
-  configuration is to provide as secure as possible defaults knowing that it will not
-  be fully compatible with older browsers and operating systems.
-
-  The **Compatible** cipher suite supports tlsv1, tlsv1.1 and tlsv1.2. Ciphers were
-  based on the OWASP Group B and includes support for RSA or ECDSA certificates. The
-  intention of this configuration is to provide as secure as possible defaults that
-  still maintain support for older browsers and Android versions 4.3 and earlier
-
-  For both suites we've specified certificate curves secp256r1, ecp384r1 and secp521r1.
-  Since OWASP doesn't prescribe curves we've based the selection on [Mozilla's
-  recommendations](https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table)
-
-  **The cipher suites were last updated on 2018-JUN-14.**
+  chosen and related configuration come from the [Transport Layer Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html)
+
+  The **Strong** cipher suite supports TLSv1.3 as recommended by the Transport
+  Layer Security Cheat Sheet. General purpose web applications should default to
+  TLSv1.3 with ALL other protocols disabled.
+
+  The **Compatible** cipher suite supports TLSv1.2 and TLSv1.3. This 
+  suite provides strong security while maintaining compatibility with a wide 
+  range of modern clients. 
+
+  Legacy protocols TLSv1.1 and TLSv1.0 are officially deprecated by 
+  [RFC 8996](https://www.rfc-editor.org/rfc/rfc8996.html) and are 
+  considered insecure.
+
+  [Test your ssl configuration](https://ssl-config.mozilla.org/)
+
+  **The cipher suites were last updated on 2025-AUG-28.**
   """
   @spec configure([:ssl.tls_server_option()]) ::
           {:ok, [:ssl.tls_server_option()]} | {:error, String.t()}
@@ -301,14 +290,14 @@ defmodule Plug.SSL do
     options
     |> set_managed_tls_defaults
     |> keynew(:ciphers, 0, {:ciphers, @strong_tls_ciphers})
-    |> keynew(:versions, 0, {:versions, [:"tlsv1.2"]})
+    |> keynew(:versions, 0, {:versions, [:"tlsv1.3"]})
   end
 
   defp set_compatible_tls_defaults(options) do
     options
     |> set_managed_tls_defaults
     |> keynew(:ciphers, 0, {:ciphers, @compatible_tls_ciphers})
-    |> keynew(:versions, 0, {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]})
+    |> keynew(:versions, 0, {:versions, [:"tlsv1.3", :"tlsv1.2"]})
   end
 
   defp validate_ciphers(options) do

test/plug/ssl_test.exs

@@ -40,43 +40,35 @@ defmodule Plug.SSLTest do
       assert {:ok, opts} = configure(key: "abcdef", cert: "ghijkl", cipher_suite: :strong)
       assert opts[:cipher_suite] == nil
       assert opts[:honor_cipher_order] == true
-      assert opts[:eccs] == [:secp256r1, :secp384r1, :secp521r1]
-      assert opts[:versions] == [:"tlsv1.2"]
+      assert opts[:eccs] == [:x25519, :secp256r1, :secp384r1, :secp521r1]
+      assert opts[:versions] == [:"tlsv1.3"]
 
       assert opts[:ciphers] == [
-               ~c"ECDHE-RSA-AES256-GCM-SHA384",
-               ~c"ECDHE-ECDSA-AES256-GCM-SHA384",
-               ~c"ECDHE-RSA-AES128-GCM-SHA256",
-               ~c"ECDHE-ECDSA-AES128-GCM-SHA256",
-               ~c"DHE-RSA-AES256-GCM-SHA384",
-               ~c"DHE-RSA-AES128-GCM-SHA256"
+               ~c"TLS_AES_256_GCM_SHA384",
+               ~c"TLS_CHACHA20_POLY1305_SHA256",
+               ~c"TLS_AES_128_GCM_SHA256"
              ]
     end
 
     test "sets cipher suite to compatible" do
       assert {:ok, opts} = configure(key: "abcdef", cert: "ghijkl", cipher_suite: :compatible)
       assert opts[:cipher_suite] == nil
       assert opts[:honor_cipher_order] == true
-      assert opts[:eccs] == [:secp256r1, :secp384r1, :secp521r1]
-      assert opts[:versions] == [:"tlsv1.2", :"tlsv1.1", :tlsv1]
+      assert opts[:eccs] == [:x25519, :secp256r1, :secp384r1, :secp521r1]
+      assert opts[:versions] == [:"tlsv1.3", :"tlsv1.2"]
 
       assert opts[:ciphers] == [
-               ~c"ECDHE-RSA-AES256-GCM-SHA384",
+               ~c"TLS_AES_256_GCM_SHA384",
+               ~c"TLS_CHACHA20_POLY1305_SHA256",
+               ~c"TLS_AES_128_GCM_SHA256",
                ~c"ECDHE-ECDSA-AES256-GCM-SHA384",
-               ~c"ECDHE-RSA-AES128-GCM-SHA256",
+               ~c"ECDHE-RSA-AES256-GCM-SHA384",
+               ~c"ECDHE-ECDSA-CHACHA20-POLY1305",
+               ~c"ECDHE-RSA-CHACHA20-POLY1305",
                ~c"ECDHE-ECDSA-AES128-GCM-SHA256",
+               ~c"ECDHE-RSA-AES128-GCM-SHA256",
                ~c"DHE-RSA-AES256-GCM-SHA384",
-               ~c"DHE-RSA-AES128-GCM-SHA256",
-               ~c"ECDHE-RSA-AES256-SHA384",
-               ~c"ECDHE-ECDSA-AES256-SHA384",
-               ~c"ECDHE-RSA-AES128-SHA256",
-               ~c"ECDHE-ECDSA-AES128-SHA256",
-               ~c"DHE-RSA-AES256-SHA256",
-               ~c"DHE-RSA-AES128-SHA256",
-               ~c"ECDHE-RSA-AES256-SHA",
-               ~c"ECDHE-ECDSA-AES256-SHA",
-               ~c"ECDHE-RSA-AES128-SHA",
-               ~c"ECDHE-ECDSA-AES128-SHA"
+               ~c"DHE-RSA-AES128-GCM-SHA256"
              ]
     end