From c64e3d6754fc35974a0d0872b311d06505ae568a Mon Sep 17 00:00:00 2001
From: Jose Quintana <joseluisquintana20@gmail.com>
Date: Fri, 12 May 2023 01:54:14 +0200
Subject: [PATCH] docs: safe tls defaults description [skip ci]

---
 docs/content/features/http2-tls.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/docs/content/features/http2-tls.md b/docs/content/features/http2-tls.md
index 9eca939..8aaf3fb 100644
--- a/docs/content/features/http2-tls.md
+++ b/docs/content/features/http2-tls.md
@@ -4,6 +4,32 @@
 
 This feature is disabled by default and can be activated via the boolean `-t, --http2` option as well as string arguments `--http2-tls-cert` (TLS certificate file path) and `--http2-tls-key` (private key file path).
 
+## Safe TLS defaults
+
+SWS comes with safe TLS defaults for underlying cryptography.
+
+- Cipher suites:
+    ```rust
+    // TLS1.3 suites
+    TLS13_AES_256_GCM_SHA384
+    TLS13_AES_128_GCM_SHA256
+    TLS13_CHACHA20_POLY1305_SHA256
+
+    // TLS1.2 suites
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    ```
+- Key exchange groups:
+  - `X25519`, `SECP256R1` and `SECP384R1`
+- Protocol versions:
+  - TLS `1.2` and `1.3`
+
+These defaults are safe and useful for most use cases. See [Rustls safe defaults](https://docs.rs/rustls/0.21.1/rustls/struct.ConfigBuilder.html#method.with_safe_defaults) for more details. 
+
 !!! info "Tips"
     - Either `--host`, `--port` and `--root` have defaults (optional values) so they can be specified or omitted as required.
     - Don't forget to adjust the proper `--port` value for the HTTP/2 & TLS feature.
--
libgit2 1.7.2