mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
tls: Enable TLS 1.3 by default; set sane defaults on tls.Config structs
This commit is contained in:
parent
9f8d3611eb
commit
533d1afb4b
2 changed files with 40 additions and 0 deletions
|
@ -132,6 +132,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
|
|||
}
|
||||
tlsApp := tlsAppIface.(*TLS)
|
||||
|
||||
// fill in some "easy" default values, but for other values
|
||||
// (such as slices), we should ensure that they start empty
|
||||
// so the user-provided config can fill them in; then we will
|
||||
// fill in a default config at the end if they are still unset
|
||||
cfg := &tls.Config{
|
||||
NextProtos: p.ALPN,
|
||||
PreferServerCipherSuites: true,
|
||||
|
@ -210,11 +214,39 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
|
|||
|
||||
// TODO: client auth, and other fields
|
||||
|
||||
setDefaultTLSParams(cfg)
|
||||
|
||||
p.stdTLSConfig = cfg
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// setDefaultTLSParams sets the default TLS cipher suites, protocol versions,
|
||||
// and server preferences of cfg if they are not already set; it does not
|
||||
// overwrite values, only fills in missing values.
|
||||
func setDefaultTLSParams(cfg *tls.Config) {
|
||||
if len(cfg.CipherSuites) == 0 {
|
||||
cfg.CipherSuites = getOptimalDefaultCipherSuites()
|
||||
}
|
||||
|
||||
// Not a cipher suite, but still important for mitigating protocol downgrade attacks
|
||||
// (prepend since having it at end breaks http2 due to non-h2-approved suites before it)
|
||||
cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
|
||||
|
||||
if len(cfg.CurvePreferences) == 0 {
|
||||
cfg.CurvePreferences = defaultCurves
|
||||
}
|
||||
|
||||
if cfg.MinVersion == 0 {
|
||||
cfg.MinVersion = tls.VersionTLS12
|
||||
}
|
||||
if cfg.MaxVersion == 0 {
|
||||
cfg.MaxVersion = tls.VersionTLS13
|
||||
}
|
||||
|
||||
cfg.PreferServerCipherSuites = true
|
||||
}
|
||||
|
||||
// PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
|
||||
type PublicKeyAlgorithm x509.PublicKeyAlgorithm
|
||||
|
||||
|
|
|
@ -18,7 +18,9 @@ import (
|
|||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/caddyserver/caddy"
|
||||
|
@ -32,6 +34,12 @@ func init() {
|
|||
Name: "tls",
|
||||
New: func() interface{} { return new(TLS) },
|
||||
})
|
||||
|
||||
// opt-in TLS 1.3 for Go1.12
|
||||
// TODO: remove this line when Go1.13 is released.
|
||||
if err := os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1"); err != nil {
|
||||
log.Println("[ERROR] failed to set environment variable: ", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TLS represents a process-wide TLS configuration.
|
||||
|
|
Loading…
Reference in a new issue