From: Mischa Subject: Re: relayd: use the libtls secure keyword for the default ciphers To: Rafael Sadowski Cc: tech@openbsd.org Date: Tue, 16 Jun 2026 12:53:36 +0200 Hi Rafael, Just to confirm, zero TLS config in relayd.conf and a great security score. Thanx! Mischa On 2026-06-16 08:03, Rafael Sadowski wrote: > Based on an idea from Mischa, I would like to switch the default > cipher from "HIGH:!aNULL" to "secure" aka. > TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE", which selects the > stricter > modern set (AEAD ciphers with forward secrecy). > > I have replaced the text in the manpage with the "cipher" text from > smtpd.conf.5, which is easier to understand. > > In my view it makes sense to mention it in faq/current.html, as some > legacy systems might not work with it? > > Rafael > > diff --git a/relayd.conf.5 b/relayd.conf.5 > index 6e95e9a..93f5e93 100644 > --- a/relayd.conf.5 > +++ b/relayd.conf.5 > @@ -970,14 +970,15 @@ The > .Ic ca key > option is specified. > .El > -.It Ic ciphers Ar string > -Set the string defining the TLS cipher suite. > +.It Cm ciphers Ar cipherstr > +Define the list of ciphers that may be used for TLS sessions. > +Refer to the > +.Xr tls_config_set_ciphers 3 > +manpage for the format of > +.Ar cipherstr . > If not specified, the default value > -.Ql HIGH:!aNULL > -will be used (strong crypto cipher suites without anonymous DH). > -See the CIPHERS section of > -.Xr openssl 1 > -for information about TLS cipher suites and preference lists. > +.Ql secure > +will be used. > .It Ic client ca Ar path > Require TLS client certificates that can be verified against the CA > certificates in the specified file. > diff --git a/relayd.h b/relayd.h > index c772300..17ba3b4 100644 > --- a/relayd.h > +++ b/relayd.h > @@ -711,7 +711,7 @@ TAILQ_HEAD(relay_rules, relay_rule); > "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3" \ > "\06cipher-server-preference\07client-renegotiation" > > -#define TLSCIPHERS_DEFAULT "HIGH:!aNULL" > +#define TLSCIPHERS_DEFAULT "secure" > #define TLSECDHECURVES_DEFAULT "default" > #define TLSDHPARAM_DEFAULT "none"