docs: safe tls defaults description [skip ci]
Diff
docs/content/features/http2-tls.md | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
@@ -4,6 +4,32 @@
This feature is disabled by default and can be activated via the boolean `-t, --http2` option as well as string arguments `--http2-tls-cert` (TLS certificate file path) and `--http2-tls-key` (private key file path).
## Safe TLS defaults
SWS comes with safe TLS defaults for underlying cryptography.
- Cipher suites:
```rust
// TLS1.3 suites
TLS13_AES_256_GCM_SHA384
TLS13_AES_128_GCM_SHA256
TLS13_CHACHA20_POLY1305_SHA256
// TLS1.2 suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
```
- Key exchange groups:
- `X25519`, `SECP256R1` and `SECP384R1`
- Protocol versions:
- TLS `1.2` and `1.3`
These defaults are safe and useful for most use cases. See [Rustls safe defaults](https://docs.rs/rustls/0.21.1/rustls/struct.ConfigBuilder.html#method.with_safe_defaults) for more details.
!!! info "Tips"
- Either `--host`, `--port` and `--root` have defaults (optional values) so they can be specified or omitted as required.
- Don't forget to adjust the proper `--port` value for the HTTP/2 & TLS feature.
