Issues with selecting Cipher Suite with K6 and TLS 1.3

I’m having problems selecting the cipher suite with TLS 1.3. With TLS 1.2, the following does the trick:

export let options = {
    tlsVersion: http.TLS_1_2,
    tlsCipherSuites: [

With TLS 1.3, the Client-Hello contains a few additional cipher-suites beyond the one I specified, Here’s the Client-Hello list:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_AES_128_GCM_SHA256 (0x1301)
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303)
  • TLS_AES_256_GCM_SHA384 (0x1302)

How can I limit this list to only one cipher suite (and thus force the server to use the one I want)?

Hi @tobias.netscout, welcome to the forum :tada:!

K6 is written in golang and this seems to be a limitation of the golang stdlib implementation. I haven’t read the whole discussion but it seems like the core team just doesn’t think it being configurable is a good idea and as such it is not possible, for TLS1.3. So in practice it is always those 4 cipher-suites that will be used.

Fixing this might be impossible or at least very hard in k6, but you are welcome to open an issue.

1 Like