Reconfigure cipher suites in services/loadBalancer

Is there any way to rewrite the cipher suite that traefik offers to configured servers in a loadBalancer?

We are currently facing an issue where traefik cannot connect to a device on the network. It took us a long time to figure it out since the error message is just:
level=debug msg="'502 Bad Gateway' caused by: remote error: tls: handshake failure"
In the pcap the message from the device was Handshake Failure (40) and with the 40 we were able to deduce that there were no shared cipher suites.

Traefik does offer the following cipher suites in the Client Hello:

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256

But the device does not accept any of them. I had hoped that traefik would just offer all cipher suites defined in crypto/tls tls package - crypto/tls - Go Packages because at least there are the following that are supported by the device:

• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384

There are also some CBC ciphers that match but lets not use them.

We know/verified that it worked with version 2.10.4. We have updated over the last few weeks first to 2.10.7, then to 2.11.11 and finally today to 2.11.13. Somewhere between 2.10.4 and 2.11.11 this problem occurred.

Our dynamic config currently looks like this:

http:
  routers:
    device:
      entrypoint:
        - websecure-device
      service: device@file
      rule: Host(`device.example.com`)
      tls:
        certResolver: cloudflare
  services:
    device:
      loadBalancer:
        servers:
          - url: https://192.168.100.2
        passHostHeader: true
        serversTransport: https-insecure@file
  serversTransports:
    https: []
    https-insecure:
      insecureSkipVerify: true

You should be able to define the external cipher suites for entrypoint (doc):

# Dynamic configuration

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

But it seems there is no dynamic config for the internal requests (doc, reference).

Note that you can check the changelog on Traefik Github.

Maybe open a feature request on Traefik Github?

The external cipher suites do not really help me since its the "internal" ciphers that block the communication. In fact I even tried to set external cipher suites in the hopes, that it would somehow carry over to the internal ones but to no avail.
I already read the Changelog traefik/ at master · traefik/traefik · GitHub but could not find any information about disabling cipher suites. AFAIK it looks like every non-FS suite has been disabled.
This is unfortunate because I try to stuff everything with weak/weird/no encryption behind the traefik in private networks but with the Client Hello resulting in handshake failures this is then foiled.

I have now confirmed that 2.10.7 still works but from 2.11.x it does not. My Go knowledge is not enough to look for the code changes.

If someone knows of a way to change the ciphers even if the reference configuration does not suggest anything in that way, let me know.

In the meantime I will go ahead and file an issue on GitHub if this is either a bug or a not documented change and depending on that will follow up with a feature request.