From 77e68eea02ee6d581555125196a5804ac24adc5f Mon Sep 17 00:00:00 2001 From: Wang Tengfei Date: Fri, 17 Mar 2023 13:32:04 +0800 Subject: [PATCH] fix: tls min version and cipher suites (#5) --- pkg/server/server.go | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/pkg/server/server.go b/pkg/server/server.go index 4e9ea47..52d58da 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -2,6 +2,7 @@ package server import ( "context" + "crypto/tls" "fmt" "net" "net/http" @@ -175,7 +176,31 @@ func (s *Server) Start() error { handler := s.Container() if s.ServerConfig.TLSCertFile != "" && s.ServerConfig.TLSKeyFile != "" { - return http.ListenAndServeTLS(addr, s.ServerConfig.TLSCertFile, s.ServerConfig.TLSKeyFile, handler) + + cert, err := tls.LoadX509KeyPair(s.ServerConfig.TLSCertFile, s.ServerConfig.TLSKeyFile) + if err != nil { + return err + } + + config := tls.Config{ + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + }, + MinVersion: tls.VersionTLS12, + Certificates: []tls.Certificate{cert}, + } + + listener, err := tls.Listen("tcp", addr, &config) + if err != nil { + return err + } + + return http.Serve(listener, handler) } return http.ListenAndServe(addr, handler) }