From 0d97132056ac751d2841e35466225fbff6ad727e Mon Sep 17 00:00:00 2001
From: Krasimir Angelov <kangelov@gitlab.com>
Date: Thu, 16 May 2019 09:48:38 +0000
Subject: Disable 3DES and other insecure cipher suites

Supported cipher suites:
   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
   tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Closes https://gitlab.com/gitlab-org/gitlab-pages/issues/150.
---
 server.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'server.go')

diff --git a/server.go b/server.go
index 3a80e797..79268238 100644
--- a/server.go
+++ b/server.go
@@ -25,6 +25,15 @@ type keepAliveSetter interface {
 	SetKeepAlivePeriod(time.Duration) error
 }
 
+var preferredCipherSuites = []uint16{
+	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+}
+
 func (ln *keepAliveListener) Accept() (net.Conn, error) {
 	conn, err := ln.Listener.Accept()
 	if err != nil {
@@ -65,7 +74,7 @@ func listenAndServe(fd uintptr, handler http.HandlerFunc, useHTTP2 bool, tlsConf
 	return server.Serve(&keepAliveListener{l})
 }
 
-func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, limiter *netutil.Limiter) error {
+func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, tlsHandler tlsHandlerFunc, useHTTP2 bool, insecureCiphers bool, limiter *netutil.Limiter) error {
 	certificate, err := tls.X509KeyPair(cert, key)
 	if err != nil {
 		return err
@@ -76,5 +85,9 @@ func listenAndServeTLS(fd uintptr, cert, key []byte, handler http.HandlerFunc, t
 	tlsConfig.Certificates = []tls.Certificate{
 		certificate,
 	}
+	if !insecureCiphers {
+		tlsConfig.PreferServerCipherSuites = true
+		tlsConfig.CipherSuites = preferredCipherSuites
+	}
 	return listenAndServe(fd, handler, useHTTP2, tlsConfig, limiter)
 }
-- 
cgit v1.2.3