Browse Source

Improve TLS Config to prefer server ciphers, remove 3DES ciphers and require TLS 1.1 or higher

master
Bernhard Fröhlich 6 months ago
parent
commit
6270d75571
Signed by: Bernhard Froehlich <decke@bluelife.at> GPG Key ID: 4DD88C3F9F3B8333
1 changed files with 48 additions and 0 deletions
  1. 48
    0
      main.go

+ 48
- 0
main.go View File

@@ -192,6 +192,30 @@ func main() {
192 192
 			}
193 193
 
194 194
 			server.TLSConfig = &tls.Config {
195
+				PreferServerCipherSuites: true,
196
+				MinVersion:               tls.VersionTLS11,
197
+
198
+				// Ciphersuites as defined in stock Go but without 3DES
199
+				// https://golang.org/src/crypto/tls/cipher_suites.go
200
+				CipherSuites: []uint16 {
201
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
202
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
203
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
204
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
205
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
206
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
207
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
208
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
209
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
210
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
211
+					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
212
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
213
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
214
+					tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
215
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
216
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
217
+					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
218
+				},
195 219
 				Certificates: [] tls.Certificate{cert},
196 220
 			}
197 221
 			server.ForceTLS = *localForceTLS
@@ -215,6 +239,30 @@ func main() {
215 239
 			}
216 240
 
217 241
 			server.TLSConfig = &tls.Config {
242
+				PreferServerCipherSuites: true,
243
+				MinVersion:               tls.VersionTLS11,
244
+
245
+				// Ciphersuites as defined in stock Go but without 3DES
246
+				// https://golang.org/src/crypto/tls/cipher_suites.go
247
+				CipherSuites: []uint16 {
248
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
249
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
250
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
251
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
252
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
253
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
254
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
255
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
256
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
257
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
258
+					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
259
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
260
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
261
+					tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
262
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
263
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
264
+					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
265
+				},
218 266
 				Certificates: [] tls.Certificate{cert},
219 267
 			}
220 268
 

Loading…
Cancel
Save