The cipher suite strings used by relayd are the same as those used by httpd, the standard `openssl ciphers` style. The strings from the aforementioned web page will work, too.
I'd generally use something like this?
Code:
tls ciphers "HIGH:!aNULL:!SSLv3:!DSS:!ECDSA:!RSA:-ECDH:ECDHE:+SHA384:+SHA256"
tls cipher-server-preference
tls no client-renegotiation
It gives an order of preference that makes sense to me:
Code:
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
In httpd, you have to use the dhe keyword for this suite selection to make sense. I'm not sure if the edh keyword is needed in relayd, EDH is usually only used in reference to old cipher suites which aren't included here.
It excludes SHA and DSA-based ciphers, non-PFS ciphers, and moves CBC-based ciphers to the back of the list.
It prefers discrete logarithm-based crypto over elliptic curves. Unfortunately, it seems questionable whether the current elliptic curves used in TLS are entirely trustworthy (see
safecurves), but Firefox requires ECDHE if you want perfect forward secrecy.
I'm not sure how much all of this helps. If you're tweaking cipher suites beyond relayd's defaults, it would seem you're working against institutions of great power, for which TLS seems woefully inadequate. For most purposes, the defaults should be fine.