vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Merge pull request #13848 from estesp/tls-server-client-cipher-cleanup

Browse source 
Split client and server cipher suite list in TLS defaults
This commit is contained in:
David Calavera 2015-06-19 11:08:19 -07:00
commit a03e104b0c
1 changed files with 32 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
tlsconfig/config.go
View file

@ -24,21 +24,39 @@ type Options struct {
KeyFile string KeyFile string
} }
// Default is a secure-enough TLS configuration. // Extra (server-side) accepted CBC cipher suites - will phase out in the future
var Default = tls.Config{ var acceptedCBCCiphers = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
}
// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)
var clientCipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
// For use by code which already has a crypto/tls options struct but wants to
// use a commonly accepted set of TLS cipher suites, with known weak algorithms removed
var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)
// ServerDefault is a secure-enough TLS configuration for the server TLS configuration.
var ServerDefault = tls.Config{
// Avoid fallback to SSL protocols < TLS1.0 // Avoid fallback to SSL protocols < TLS1.0
MinVersion: tls.VersionTLS10, MinVersion: tls.VersionTLS10,
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
CipherSuites: []uint16{ CipherSuites: DefaultServerAcceptedCiphers,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // ClientDefault is a secure-enough TLS configuration for the client TLS configuration.
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, var ClientDefault = tls.Config{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // Prefer TLS1.2 as the client minimum
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, MinVersion: tls.VersionTLS12,
tls.TLS_RSA_WITH_AES_128_CBC_SHA, CipherSuites: clientCipherSuites,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
} }
// certPool returns an X.509 certificate pool from `caFile`, the certificate file. // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
@ -63,7 +81,7 @@ func certPool(caFile string) (*x509.CertPool, error) {
// Client returns a TLS configuration meant to be used by a client. // Client returns a TLS configuration meant to be used by a client.
func Client(options Options) (*tls.Config, error) { func Client(options Options) (*tls.Config, error) {
tlsConfig := Default tlsConfig := ClientDefault
tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify
if !options.InsecureSkipVerify { if !options.InsecureSkipVerify {
CAs, err := certPool(options.CAFile) CAs, err := certPool(options.CAFile)
@ -86,7 +104,7 @@ func Client(options Options) (*tls.Config, error) {
// Server returns a TLS configuration meant to be used by a server. // Server returns a TLS configuration meant to be used by a server.
func Server(options Options) (*tls.Config, error) { func Server(options Options) (*tls.Config, error) {
tlsConfig := Default tlsConfig := ServerDefault
tlsConfig.ClientAuth = options.ClientAuth tlsConfig.ClientAuth = options.ClientAuth
tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile) tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)
if err != nil { if err != nil {