From dc5869de0b4fcab4f0291c8e835560951c5e968a Mon Sep 17 00:00:00 2001 From: Aaron Lehmann Date: Thu, 30 Jul 2015 09:41:15 -0700 Subject: [PATCH] Change server TLS config to tighen security Change the minimum TLS version to TLS 1.0, and add a custom list of ciphersuites which are thought to be the most secure options. Signed-off-by: Aaron Lehmann --- cmd/registry/main.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/cmd/registry/main.go b/cmd/registry/main.go index 66ce6367..8fe742c7 100644 --- a/cmd/registry/main.go +++ b/cmd/registry/main.go @@ -83,9 +83,21 @@ func main() { if config.HTTP.TLS.Certificate != "" { tlsConf := &tls.Config{ - ClientAuth: tls.NoClientCert, - NextProtos: []string{"http/1.1"}, - Certificates: make([]tls.Certificate, 1), + ClientAuth: tls.NoClientCert, + NextProtos: []string{"http/1.1"}, + Certificates: make([]tls.Certificate, 1), + MinVersion: tls.VersionTLS10, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, } tlsConf.Certificates[0], err = tls.LoadX509KeyPair(config.HTTP.TLS.Certificate, config.HTTP.TLS.Key)