>Just fix the ciphers to a list of what's known to work + some safety margin.

That's already the case. The trouble is that NSS (what firefox uses) doesn't support the same cipher suites as boringssl (what chrome uses?).