Add TLS cipher suite configuration to exclude obsolete CBC ciphers

[Copilot]

Security scanners flag the HTTPS server for offering obsolete CBC-based ciphers. This adds configuration to limit which TLS cipher suites are enabled.

Changes

• Configuration: Added --tls-cipher-suites flag to run command with environment variable support (TLS_CIPHER_SUITES)
• Implementation: Created ParseCipherSuites() to convert comma-separated cipher suite names to IDs and apply them to the TLS server configuration
• Tests: Added unit tests for parsing and integration test for server configuration

Usage

# CLI flag
kamal-proxy run --tls-cipher-suites "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

# Environment variable
TLS_CIPHER_SUITES="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" kamal-proxy run

Notes

• Empty/unset configuration uses Go's default cipher suite selection (backward compatible)
• Cipher suites must match certificate type (RSA vs ECDSA)
• TLS 1.3 cipher suites are always enabled (Go limitation)

Original prompt

allow limiting ACME cipher suites

Reason being: when using testssl we can see the message:

Obsoleted CBC ciphers (AES, ARIA etc.) offered

So we'd need to exclude these ciphers from the HTTP server - I'd love to do this within kamal-proxy

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.