fix: Remove ciphers considered insecure in go 1.22. (#340)

* fix: Remove ciphers considered insecure in go 1.22.

* Update set of ciphers to latest set.

* Fix syntax.

tlsconfig/common.go

@@ -8,17 +8,23 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
+	"os"
 )
 
 var defaultCipherSuites = []uint16{
+	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	// TLSv1.3
+	tls.TLS_CHACHA20_POLY1305_SHA256,
+	tls.TLS_AES_128_GCM_SHA256,
+	tls.TLS_AES_256_GCM_SHA384,
+	// TLSv1.2
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	// This cipher suite is included to enable http/2. For details, see
-	// https://blog.bracelab.com/achieving-perfect-ssl-labs-score-with-go
+	// required to include for http/2: https://http2.github.io/http2-spec/#rfc.section.9.2.2
 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 }
 
 // TLSCertFromFiles returns a provider that returns a tls.Certificate by loading an X509 key pair from the files in the
@@ -35,7 +41,7 @@ func CertPoolFromCAFiles(caFiles ...string) CertPoolProvider {
 	return func() (*x509.CertPool, error) {
 		certPool := x509.NewCertPool()
 		for _, caFile := range caFiles {
-			cert, err := ioutil.ReadFile(caFile)
+			cert, err := os.ReadFile(caFile)
 			if err != nil {
 				return nil, fmt.Errorf("failed to load certificates from file %s: %v", caFile, err)
 			}