Issues with selecting Cipher Suite with K6 and TLS 1.3

tobias.netscout · March 25, 2021, 2:55pm

I’m having problems selecting the cipher suite with TLS 1.3. With TLS 1.2, the following does the trick:

export let options = {
    tlsVersion: http.TLS_1_2,
    tlsCipherSuites: [
          'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
    ],
};

With TLS 1.3, the Client-Hello contains a few additional cipher-suites beyond the one I specified, Here’s the Client-Hello list:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_256_GCM_SHA384 (0x1302)

How can I limit this list to only one cipher suite (and thus force the server to use the one I want)?

mstoykov · March 25, 2021, 3:35pm

Hi @tobias.netscout, welcome to the forum !

K6 is written in golang and this seems to be a limitation of the golang stdlib implementation. I haven’t read the whole discussion but it seems like the core team just doesn’t think it being configurable is a good idea and as such it is not possible, for TLS1.3. So in practice it is always those 4 cipher-suites that will be used.

Fixing this might be impossible or at least very hard in k6, but you are welcome to open an issue.

Topic		Replies	Views
TLS1.3 Supported K6 Version Grafana k6	3	224	April 14, 2022
What all TLS Parameters in Client Hello can be Modified? Grafana k6	9	432	May 4, 2022
TLS set ciphers in promethues web.yml file Prometheus	3	935	March 1, 2022
Does K6 provide tls session resumption OSS Support	2	141	April 18, 2023
K6 and AES encryption OSS Support	1	683	February 19, 2022

Issues with selecting Cipher Suite with K6 and TLS 1.3

Related topics