From b5848765b298fb4d73d49136c5f982288dd5f5a1 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Sun, 28 Dec 2025 14:46:27 +0100
Subject: [PATCH] internal: update TLS Suite (#19076)

* internal: update TLS Suite

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* disable chacha20 due to fips

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 go.mod                |  4 +---
 internal/utils/tls.go | 30 ++++++++++++++++++++++--------
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/go.mod b/go.mod
index 2ae01d0cbb..ec7be4198f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module goauthentik.io
 
-go 1.24.3
-
-toolchain go1.24.6
+go 1.25.5
 
 require (
 	beryju.io/ldap v0.1.0
diff --git a/internal/utils/tls.go b/internal/utils/tls.go
index 36281b12ff..fc55dccd7d 100644
--- a/internal/utils/tls.go
+++ b/internal/utils/tls.go
@@ -1,25 +1,39 @@
 package utils
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+	"slices"
+)
 
 func GetTLSConfig() *tls.Config {
+	// Based on
+	// https://ssl-config.mozilla.org/#server=go&version=1.25&config=intermediate&guideline=5.7
 	tlsConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
-		MaxVersion: tls.VersionTLS12,
+		CurvePreferences: []tls.CurveID{
+			tls.X25519,
+			tls.CurveP256,
+			tls.CurveP384,
+		},
+		PreferServerCipherSuites: true,
+		CipherSuites:             []uint16{},
 	}
 
-	// Insecure SWEET32 attack ciphers, TLS config uses a fallback
-	insecureCiphersIds := []uint16{
+	excludedCiphers := []uint16{
+		// ChaCha20 is not FIPS validated
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		// Insecure SWEET32 attack ciphers, TLS config uses a fallback
 		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 	}
+
 	defaultSecureCiphers := []uint16{}
 	for _, cs := range tls.CipherSuites() {
-		for _, icsId := range insecureCiphersIds {
-			if cs.ID != icsId {
-				defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
-			}
+		if slices.Contains(excludedCiphers, cs.ID) {
+			continue
 		}
+		defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
 	}
 	tlsConfig.CipherSuites = defaultSecureCiphers
 	return tlsConfig