diff options
author | Krasimir Angelov <kangelov@gitlab.com> | 2019-05-16 12:48:38 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-05-16 12:48:38 +0300 |
commit | 0d97132056ac751d2841e35466225fbff6ad727e (patch) | |
tree | 1f9cd9f7b4369cf457d56a74fe24eb5e1a273c42 /server.go | |
parent | 656dfa25f02513e2b0c489ca88887f10a72299e6 (diff) |
Disable 3DES and other insecure cipher suites
Supported cipher suites:
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Closes https://gitlab.com/gitlab-org/gitlab-pages/issues/150.
Diffstat (limited to 'server.go')
-rw-r--r-- | server.go | 15 |
1 files changed, 14 insertions, 1 deletions
@@ -25,6 +25,15 @@ type keepAliveSetter interface { SetKeepAlivePeriod(time.Duration) error } +var preferredCipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +} + func (ln *keepAliveListener) Accept() (net.Conn, error) { conn, err := ln.Listener.Accept() if err != nil { @@ -65,7 +74,7 @@ func listenAndServe(fd uintptr, handler http.HandlerFunc, useHTTP2 bool, tlsConf return server.Serve(&keepAliveListener{l}) } -func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, limiter *netutil.Limiter) error { +func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, insecureCiphers bool, limiter *netutil.Limiter) error { certificate, err := tls.X509KeyPair(cert, key) if err != nil { return err @@ -76,5 +85,9 @@ func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, t tlsConfig.Certificates = []tls.Certificate{ certificate, } + if !insecureCiphers { + tlsConfig.PreferServerCipherSuites = true + tlsConfig.CipherSuites = preferredCipherSuites + } return listenAndServe(fd, handler, useHTTP2, tlsConfig, limiter) } |