We use the following configuration to prefer 256-bit security ciphers while still using ChaCha for clients without AES acceleration:
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
AES is extremely fast with modern CPU AES acceleration so we don't particularly care that AES-256 is slower and would rather have stronger post-quantum security than an unimportant performance improvement. The performance of hybrid PQC key exchange is a lot more relevant to us and we're willing to pay that cost so we might as well use AES-256 or ChaCha20 instead of AES-128.
We're currently disabling the weak_ssl_tls check due to this but would rather leave it enabled.
We use the following configuration to prefer 256-bit security ciphers while still using ChaCha for clients without AES acceleration:
AES is extremely fast with modern CPU AES acceleration so we don't particularly care that AES-256 is slower and would rather have stronger post-quantum security than an unimportant performance improvement. The performance of hybrid PQC key exchange is a lot more relevant to us and we're willing to pay that cost so we might as well use AES-256 or ChaCha20 instead of AES-128.
We're currently disabling the
weak_ssl_tlscheck due to this but would rather leave it enabled.