Tls_cipher_suites configuration

Hi All,
I am trying to configure tls_cipher_suites in consul.hcl but once I validated the file it came out with error below:

Config validation failed: 1 error occurred:
        * tls.defaults.tls_cipher_suites: invalid TLS cipher suites: no matching Consul Agent TLS cipher suite found for ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384

The configuration I added is like:


And the suite list comes from:

May I know what the correct suites should be?

Consul version is 1.12.2, did anyone know how to configure this parameter?

Envoy actually uses non-standard names for these cipher suites, which differ from the IANA spec, and there are two different places cipher suites in Consul can be configured - for Consul Agent TLS (which uses Go’s TLS implementation and appears to be what you’re attempting to configure here), and the Envoy proxy TLS config (e.g. for Ingress or API Gateways).

The full list of supported cipher suites for Consul (both Agent TLS and Envoy proxy) can be found in the source code at consul/tls.go at 693c8a4706e10bc8cd212ceaf0b6728045e96e17 · hashicorp/consul · GitHub

The docs for tls_cipher_suites does link to a GitHub search query where you can find the Consul Agent TLS suites valid for that config.