diff options
| author | Krasimir Angelov <kangelov@gitlab.com> | 2019-05-28 12:46:50 +0300 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2019-05-28 12:46:50 +0300 |
| commit | 1050f11598642b017486fc655561399d3766efb5 (patch) | |
| tree | c559fced12a012af3f680512e3869b2e4454176c /server.go | |
| parent | ef7fff4fa64c9cb3ca57faef3f26fa59f4f51ecb (diff) | |
Add config flags to specify TLS versions
Introduce two new configuration options -tls-min-version and
-tls-max-version to control which TLS versions will be supported by the
server. Accepted values are ssl3, tls1.0, tls1.1, tls1.2, and tls1.3.
Closing https://gitlab.com/gitlab-org/gitlab-pages/issues/187
Diffstat (limited to 'server.go')
| -rw-r--r-- | server.go | 25 |
1 files changed, 3 insertions, 22 deletions
@@ -12,10 +12,9 @@ import ( "golang.org/x/net/http2" "gitlab.com/gitlab-org/gitlab-pages/internal/netutil" + "gitlab.com/gitlab-org/gitlab-pages/internal/tlsconfig" ) -type tlsHandlerFunc func(*tls.ClientHelloInfo) (*tls.Certificate, error) - type keepAliveListener struct { net.Listener } @@ -25,15 +24,6 @@ type keepAliveSetter interface { SetKeepAlivePeriod(time.Duration) error } -var preferredCipherSuites = []uint16{ - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -} - func (ln *keepAliveListener) Accept() (net.Conn, error) { conn, err := ln.Listener.Accept() if err != nil { @@ -74,20 +64,11 @@ func listenAndServe(fd uintptr, handler http.HandlerFunc, useHTTP2 bool, tlsConf return server.Serve(&keepAliveListener{l}) } -func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, insecureCiphers bool, limiter *netutil.Limiter) error { - certificate, err := tls.X509KeyPair(cert, key) +func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, getCertificate tlsconfig.GetCertificateFunc, insecureCiphers bool, tlsMinVersion uint16, tlsMaxVersion uint16, useHTTP2 bool, limiter *netutil.Limiter) error { + tlsConfig, err := tlsconfig.Create(cert, key, getCertificate, insecureCiphers, tlsMinVersion, tlsMaxVersion) if err != nil { return err } - tlsConfig := &tls.Config{} - tlsConfig.GetCertificate = tlsHandler - tlsConfig.Certificates = []tls.Certificate{ - certificate, - } - if !insecureCiphers { - tlsConfig.PreferServerCipherSuites = true - tlsConfig.CipherSuites = preferredCipherSuites - } return listenAndServe(fd, handler, useHTTP2, tlsConfig, limiter) } |