(no title)

I always customize TLS versions and cipher suites because I don't trust the defaults.

AFAIK you can customize them on:

- Chrome & Firefox (can only enable/disable ciphers, no reordering, PQ ciphers supported since 2024)

- OpenSSL (by customizing openssl.cnf, PQ ciphers supported since 3.5)

- curl

- nginx/apache

- OpenSSH (I enabled PQ ciphers too)

- Multiple programming libraries

- and others...

Also, clients and servers don't "pick the strongest cipher that they both support". Servers select the cipher ultimately, and they can be misconfigured to pick, for example, 3DES over AES.