Hi Rafael,

Just to confirm, zero TLS config in relayd.conf and a great security 
score.
Thanx!

Mischa

On 2026-06-16 08:03, Rafael Sadowski wrote:
> Based on an idea from Mischa, I would like to switch the default
> cipher from "HIGH:!aNULL" to "secure" aka.
> TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE", which selects the 
> stricter
> modern set (AEAD ciphers with forward secrecy).
> 
> I have replaced the text in the manpage with the "cipher" text from
> smtpd.conf.5, which is easier to understand.
> 
> In my view it makes sense to mention it in faq/current.html, as some
> legacy systems might not work with it?
> 
> Rafael
> 
> diff --git a/relayd.conf.5 b/relayd.conf.5
> index 6e95e9a..93f5e93 100644
> --- a/relayd.conf.5
> +++ b/relayd.conf.5
> @@ -970,14 +970,15 @@ The
>  .Ic ca key
>  option is specified.
>  .El
> -.It Ic ciphers Ar string
> -Set the string defining the TLS cipher suite.
> +.It Cm ciphers Ar cipherstr
> +Define the list of ciphers that may be used for TLS sessions.
> +Refer to the
> +.Xr tls_config_set_ciphers 3
> +manpage for the format of
> +.Ar cipherstr .
>  If not specified, the default value
> -.Ql HIGH:!aNULL
> -will be used (strong crypto cipher suites without anonymous DH).
> -See the CIPHERS section of
> -.Xr openssl 1
> -for information about TLS cipher suites and preference lists.
> +.Ql secure
> +will be used.
>  .It Ic client ca Ar path
>  Require TLS client certificates that can be verified against the CA
>  certificates in the specified file.
> diff --git a/relayd.h b/relayd.h
> index c772300..17ba3b4 100644
> --- a/relayd.h
> +++ b/relayd.h
> @@ -711,7 +711,7 @@ TAILQ_HEAD(relay_rules, relay_rule);
>  	"\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3"	\
>  	"\06cipher-server-preference\07client-renegotiation"
> 
> -#define TLSCIPHERS_DEFAULT	"HIGH:!aNULL"
> +#define TLSCIPHERS_DEFAULT	"secure"
>  #define TLSECDHECURVES_DEFAULT	"default"
>  #define TLSDHPARAM_DEFAULT	"none"