From e877b29bddc92e99f588012b757a232d54779c06 Mon Sep 17 00:00:00 2001
From: Ciprian Dorin Craciun <ciprian@volution.ro>
Date: Fri, 17 Dec 2021 14:03:55 +0200
Subject: [PATCH] [server]  Update TLS cipher selection.

---
 sources/cmd/server/server.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/sources/cmd/server/server.go b/sources/cmd/server/server.go
index f0f6ff7..fa51271 100644
--- a/sources/cmd/server/server.go
+++ b/sources/cmd/server/server.go
@@ -1316,22 +1316,21 @@ func main_0 () (error) {
 	_tlsConfig := & tls.Config {
 			Certificates : nil,
 			MinVersion : tls.VersionTLS12,
+			MaxVersion : tls.VersionTLS13,
 			CipherSuites : []uint16 {
 					// NOTE:  https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+					// NOTE:  https://github.com/golang/go/issues/29349
 					// NOTE:  TLSv1.3
+					tls.TLS_CHACHA20_POLY1305_SHA256,
 					tls.TLS_AES_128_GCM_SHA256,
 					tls.TLS_AES_256_GCM_SHA384,
-					tls.TLS_CHACHA20_POLY1305_SHA256,
 					// NOTE:  TLSv1.2
+					// NOTE:  https://datatracker.ietf.org/doc/html/rfc7540#section-9.2.2
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-					// NOTE:  Required for HTTP/2.
-					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-					tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 				},
 			Renegotiation : tls.RenegotiateNever,
-			PreferServerCipherSuites : true,
 			SessionTicketsDisabled : true,
 			DynamicRecordSizingDisabled : true,
 			NextProtos : []string { "http/1.1", "http/1.0" },