Update TLS profiles to Mozilla guidelines v6.0

camilamacedo86 · claude · camilamacedo86 · commit 89b7b9f85deb · 2026-04-07T15:19:43.000+02:00
Mozilla updated their TLS configuration guidelines to v6.0, which includes:
- Removed legacy "old" profile (preserved v5.7 definition for backwards compatibility)
- Changed cipher list format from "ciphers.go" to "ciphers.iana"
- Added X25519MLKEM768 post-quantum hybrid curve
- Fixed cipher constant names (CHACHA20_POLY1305_SHA256)

Updated update-tls-profiles.sh to handle the new JSON structure and
added X25519MLKEM768 curve support to tlsprofiles package.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/hack/tools/update-tls-profiles.sh b/hack/tools/update-tls-profiles.sh
@@ -38,7 +38,7 @@ cipherNums: []uint16{
 EOF
 
     ${JQ} -r ".configurations.$1.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
-    ${JQ} -r ".configurations.$1.ciphers.go[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r ".configurations.$1.ciphers.iana[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
 
     cat >> ${OUTPUT} <<EOF
 },
@@ -63,7 +63,51 @@ EOF
 
 generate_profile "modern"
 generate_profile "intermediate"
-generate_profile "old"
+# Only generate old profile if it exists in the guidelines
+if ${JQ} -e '.configurations.old' ${TMPFILE} > /dev/null 2>&1; then
+    generate_profile "old"
+else
+    # Old profile removed from Mozilla guidelines v6.0
+    # Preserving v5.7 definition for backwards compatibility
+    cat >> ${OUTPUT} <<'EOF'
+
+var oldTLSProfile = tlsProfile{
+	ciphers: cipherSlice{
+		cipherNums: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		},
+	},
+	curves: curveSlice{
+		curveNums: []tls.CurveID{
+			X25519,
+			prime256v1,
+			secp384r1,
+		},
+	},
+	minTLSVersion: tls.VersionTLS10,
+}
+EOF
+fi
 
 # Make go happy
 go fmt ${OUTPUT}
diff --git a/internal/shared/util/tlsprofiles/mozilla_data.go b/internal/shared/util/tlsprofiles/mozilla_data.go
@@ -2,7 +2,7 @@ package tlsprofiles
 
 // DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
 // DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
-// DATA VERSION: 5.7
+// DATA VERSION: 6
 
 import (
 	"crypto/tls"
@@ -18,6 +18,7 @@ var modernTLSProfile = tlsProfile{
 	},
 	curves: curveSlice{
 		curveNums: []tls.CurveID{
+			X25519MLKEM768,
 			X25519,
 			prime256v1,
 			secp384r1,
@@ -36,12 +37,13 @@ var intermediateTLSProfile = tlsProfile{
 			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 		},
 	},
 	curves: curveSlice{
 		curveNums: []tls.CurveID{
+			X25519MLKEM768,
 			X25519,
 			prime256v1,
 			secp384r1,
diff --git a/internal/shared/util/tlsprofiles/tlsprofiles.go b/internal/shared/util/tlsprofiles/tlsprofiles.go
@@ -69,17 +69,19 @@ func cipherSuiteId(name string) uint16 {
 
 // This is primarily so that we don't have to rewrite curve values in mozilla_data.go
 const (
-	X25519     tls.CurveID = tls.X25519
-	prime256v1 tls.CurveID = tls.CurveP256
-	secp384r1  tls.CurveID = tls.CurveP384
-	secp521r1  tls.CurveID = tls.CurveP521
+	X25519MLKEM768 tls.CurveID = tls.X25519MLKEM768
+	X25519         tls.CurveID = tls.X25519
+	prime256v1     tls.CurveID = tls.CurveP256
+	secp384r1      tls.CurveID = tls.CurveP384
+	secp521r1      tls.CurveID = tls.CurveP521
 )
 
 var curves = map[string]tls.CurveID{
-	"X25519":     tls.X25519,
-	"prime256v1": tls.CurveP256,
-	"secp384r1":  tls.CurveP384,
-	"secp521r1":  tls.CurveP521,
+	"X25519MLKEM768": tls.X25519MLKEM768,
+	"X25519":         tls.X25519,
+	"prime256v1":     tls.CurveP256,
+	"secp384r1":      tls.CurveP384,
+	"secp521r1":      tls.CurveP521,
 }
 
 // Returns 0 for an invalid curve name
