From 13d5630e8017b99fdbc08c6cf52266e9ac963c42 Mon Sep 17 00:00:00 2001 From: Cameron Moore Date: Tue, 3 Dec 2019 21:36:14 -0600 Subject: [PATCH] Update docs for TLS version and cipher suite options --- README.md | 2 ++ docs/Webhook-Parameters.md | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1338a32..df3322f 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,8 @@ However, hook defined like that could pose a security threat to your system, bec ## Using HTTPS [webhook][w] by default serves hooks using http. If you want [webhook][w] to serve secure content using https, you can use the `-secure` flag while starting [webhook][w]. Files containing a certificate and matching private key for the server must be provided using the `-cert /path/to/cert.pem` and `-key /path/to/key.pem` flags. If the certificate is signed by a certificate authority, the cert file should be the concatenation of the server's certificate followed by the CA's certificate. +TLS version and cipher suite selection flags are available from the command line. To list available cipher suites, use the `-list-cipher-suites` flag. The `-tls-min-version` flag can be used with `-list-cipher-suites`. + ## CORS Headers If you want to set CORS headers, you can use the `-header name=value` flag while starting [webhook][w] to set the appropriate CORS headers that will be returned with each response. diff --git a/docs/Webhook-Parameters.md b/docs/Webhook-Parameters.md index ab51bea..4e68ebb 100644 --- a/docs/Webhook-Parameters.md +++ b/docs/Webhook-Parameters.md @@ -3,6 +3,8 @@ Usage of webhook: -cert string path to the HTTPS certificate pem file (default "cert.pem") + -cipher-suites string + comma-separated list of supported TLS cipher suites -header value response header to return, specified in format name=value, use multiple times to set multiple headers -hooks value @@ -13,6 +15,8 @@ Usage of webhook: ip the webhook should serve hooks on (default "0.0.0.0") -key string path to the HTTPS certificate private key pem file (default "key.pem") + -list-cipher-suites + list available TLS cipher suites -nopanic do not panic if hooks cannot be loaded when webhook is not running in verbose mode -port int @@ -21,6 +25,8 @@ Usage of webhook: use HTTPS instead of HTTP -template parse hooks file as a Go template + -tls-min-version string + minimum TLS version (1.0, 1.1, 1.2, 1.3) (default "1.2") -urlprefix string url prefix to use for served hooks (protocol://yourserver:port/PREFIX/:hook-id) (default "hooks") -verbose @@ -35,4 +41,4 @@ Use any of the above specified flags to override their default behavior. If you are running an OS that supports USR1 signal, you can use it to trigger hooks reload from hooks file, without restarting the webhook instance. ```bash kill -USR1 webhookpid -``` \ No newline at end of file +```