Make tls_cipher_suite a no-op

jedisct1 · jedisct1 · commit f2a0828971e3 · 2025-12-25T12:02:43.000+01:00
This has been the source of confusion, it makes more harm than
good, and it complicates the code.
diff --git a/dnscrypt-proxy/config_loader.go b/dnscrypt-proxy/config_loader.go
@@ -65,7 +65,6 @@ func configureLogging(proxy *Proxy, flags *ConfigFlags, config *Config) {
 // configureXTransport - Configures the XTransport
 func configureXTransport(proxy *Proxy, config *Config) error {
 	proxy.xTransport.tlsDisableSessionTickets = config.TLSDisableSessionTickets
-	proxy.xTransport.tlsCipherSuite = config.TLSCipherSuite
 	proxy.xTransport.http3 = config.HTTP3
 	proxy.xTransport.http3Probe = config.HTTP3Probe
 
diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@@ -287,23 +287,6 @@ cert_refresh_delay = 240
 # tls_disable_session_tickets = false
 
 
-## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
-## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-##
-## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
-## uncommenting the following line may improve performance.
-## This may also help on Intel CPUs running 32-bit operating systems.
-## However, this can cause issues fetching sources or connecting to some HTTP servers,
-## and should not be set on regular CPUs.
-##
-## Keep tls_cipher_suite undefined to let the app automatically choose secure parameters.
-
-# tls_cipher_suite = [52392, 49199]
-
-
 ## Log TLS key material to a file, for debugging purposes only.
 ## This file will contain the TLS master key, which can be used to decrypt
 ## all TLS traffic to/from DoH servers.
diff --git a/dnscrypt-proxy/xtransport.go b/dnscrypt-proxy/xtransport.go
@@ -77,7 +77,6 @@ type XTransport struct {
 	http3                    bool
 	http3Probe               bool
 	tlsDisableSessionTickets bool
-	tlsCipherSuite           []uint16
 	proxyDialer              *netproxy.Dialer
 	httpProxyFunction        func(*http.Request) (*url.URL, error)
 	tlsClientCreds           DOHClientCreds
@@ -100,7 +99,6 @@ func NewXTransport() *XTransport {
 		useIPv6:                  false,
 		http3Probe:               false,
 		tlsDisableSessionTickets: false,
-		tlsCipherSuite:           nil,
 		keyLogWriter:             nil,
 	}
 	return &xTransport
@@ -327,40 +325,8 @@ func (xTransport *XTransport) rebuildTransport() {
 		tlsClientConfig.Certificates = []tls.Certificate{cert}
 	}
 
-	overrideCipherSuite := len(xTransport.tlsCipherSuite) > 0
-	if xTransport.tlsDisableSessionTickets || overrideCipherSuite {
-		tlsClientConfig.SessionTicketsDisabled = xTransport.tlsDisableSessionTickets
-		if !xTransport.tlsDisableSessionTickets {
-			tlsClientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(10)
-		}
-		if overrideCipherSuite {
-			tlsClientConfig.PreferServerCipherSuites = false
-			tlsClientConfig.CipherSuites = xTransport.tlsCipherSuite
-
-			// Go doesn't allow changing the cipher suite with TLS 1.3
-			// So, check if the requested set of ciphers matches the TLS 1.3 suite.
-			// If it doesn't, downgrade to TLS 1.2
-			compatibleSuitesCount := 0
-			for _, suite := range tls.CipherSuites() {
-				if suite.Insecure {
-					continue
-				}
-				for _, supportedVersion := range suite.SupportedVersions {
-					if supportedVersion == tls.VersionTLS12 {
-						for _, expectedSuiteID := range xTransport.tlsCipherSuite {
-							if expectedSuiteID == suite.ID {
-								compatibleSuitesCount += 1
-								break
-							}
-						}
-					}
-				}
-			}
-			if compatibleSuitesCount != len(tls.CipherSuites()) {
-				dlog.Notice("Explicit cipher suite configured - downgrading to TLS 1.2")
-				tlsClientConfig.MaxVersion = tls.VersionTLS12
-			}
-		}
+	if xTransport.tlsDisableSessionTickets {
+		tlsClientConfig.SessionTicketsDisabled = true
 	}
 	transport.TLSClientConfig = &tlsClientConfig
 	if http2Transport, _ := http2.ConfigureTransports(transport); http2Transport != nil {
@@ -761,13 +727,6 @@ func (xTransport *XTransport) Fetch(
 	}
 	if err != nil {
 		dlog.Debugf("[%s]: [%s]", req.URL, err)
-		if xTransport.tlsCipherSuite != nil && strings.Contains(err.Error(), "handshake failure") {
-			dlog.Warnf(
-				"TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file",
-			)
-			xTransport.tlsCipherSuite = nil
-			xTransport.rebuildTransport()
-		}
 		return nil, statusCode, nil, rtt, err
 	}
 	if xTransport.h3Transport != nil && !hasAltSupport {
