Remove 3DES ciphers from default TLS config

caddy/setup/tls.go

@@ -137,8 +137,6 @@ var supportedCiphersMap = map[string]uint16{
 	"ECDHE-ECDSA-AES128-CBC-SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 	"RSA-AES128-CBC-SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 	"RSA-AES256-CBC-SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	"ECDHE-RSA-3DES-EDE-CBC-SHA":    tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	"RSA-3DES-EDE-CBC-SHA":          tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 }
 
 // List of supported cipher suites in descending order of preference.
@@ -156,6 +154,4 @@ var supportedCiphers = []uint16{
 	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 	tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 	tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 }

caddy/setup/tls_test.go

@@ -42,8 +42,6 @@ func TestTLSParseBasic(t *testing.T) {
 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 		tls.TLS_FALLBACK_SCSV,
 	}
 
@@ -77,7 +75,7 @@ func TestTLSParseIncompleteParams(t *testing.T) {
 func TestTLSParseWithOptionalParams(t *testing.T) {
 	params := `tls cert.crt cert.key {
             protocols ssl3.0 tls1.2
-            ciphers RSA-3DES-EDE-CBC-SHA RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256
+            ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256
         }`
 	c := NewTestController(params)
 
@@ -94,8 +92,8 @@ func TestTLSParseWithOptionalParams(t *testing.T) {
 		t.Errorf("Expected 'tls1.2 (0x0302)' as ProtocolMaxVersion, got %#v", c.TLS.ProtocolMaxVersion)
 	}
 
-	if len(c.TLS.Ciphers)-1 != 3 {
-		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers))
+	if len(c.TLS.Ciphers)-1 != 2 {
+		t.Errorf("Expected 2 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers))
 	}
 }