Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-pages.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/server.go
diff options
context:
space:
mode:
authorKrasimir Angelov <kangelov@gitlab.com>2019-05-16 12:48:38 +0300
committerNick Thomas <nick@gitlab.com>2019-05-16 12:48:38 +0300
commit0d97132056ac751d2841e35466225fbff6ad727e (patch)
tree1f9cd9f7b4369cf457d56a74fe24eb5e1a273c42 /server.go
parent656dfa25f02513e2b0c489ca88887f10a72299e6 (diff)
Disable 3DES and other insecure cipher suites
Supported cipher suites: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Closes https://gitlab.com/gitlab-org/gitlab-pages/issues/150.
Diffstat (limited to 'server.go')
-rw-r--r--server.go15
1 files changed, 14 insertions, 1 deletions
diff --git a/server.go b/server.go
index 3a80e797..79268238 100644
--- a/server.go
+++ b/server.go
@@ -25,6 +25,15 @@ type keepAliveSetter interface {
SetKeepAlivePeriod(time.Duration) error
}
+var preferredCipherSuites = []uint16{
+ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+}
+
func (ln *keepAliveListener) Accept() (net.Conn, error) {
conn, err := ln.Listener.Accept()
if err != nil {
@@ -65,7 +74,7 @@ func listenAndServe(fd uintptr, handler http.HandlerFunc, useHTTP2 bool, tlsConf
return server.Serve(&keepAliveListener{l})
}
-func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, limiter *netutil.Limiter) error {
+func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, insecureCiphers bool, limiter *netutil.Limiter) error {
certificate, err := tls.X509KeyPair(cert, key)
if err != nil {
return err
@@ -76,5 +85,9 @@ func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, t
tlsConfig.Certificates = []tls.Certificate{
certificate,
}
+ if !insecureCiphers {
+ tlsConfig.PreferServerCipherSuites = true
+ tlsConfig.CipherSuites = preferredCipherSuites
+ }
return listenAndServe(fd, handler, useHTTP2, tlsConfig, limiter)
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 18:36:49 +0300