0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
caddy/config/setup/tls.go
2015-05-18 18:15:41 -03:00

117 lines
3.2 KiB
Go

package setup
import (
"crypto/tls"
"log"
"strconv"
"strings"
"github.com/mholt/caddy/middleware"
)
// Map of supported protocols
// SSLv3 will be not supported in next release
var supportedProtocols = map[string]uint16{
"ssl3.0": tls.VersionSSL30,
"tls1.0": tls.VersionTLS10,
"tls1.1": tls.VersionTLS11,
"tls1.2": tls.VersionTLS12,
}
// Map of supported ciphers
// For security reasons caddy will not support RC4 ciphers
var supportedCiphers = map[string]uint16{
"ECDHE-RSA-AES128-GCM-SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
"ECDHE-ECDSA-AES128-GCM-SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
"ECDHE-RSA-AES128-CBC-SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
"ECDHE-RSA-AES256-CBC-SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
"ECDHE-ECDSA-AES256-CBC-SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
"ECDHE-ECDSA-AES128-CBC-SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
"RSA-AES128-CBC-SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
"RSA-AES256-CBC-SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
"ECDHE-RSA-3DES-EDE-CBC-SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
"RSA-3DES-EDE-CBC-SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
}
func TLS(c *Controller) (middleware.Middleware, error) {
c.TLS.Enabled = true
if c.Port == "http" {
c.TLS.Enabled = false
log.Printf("Warning: TLS was disabled on host http://%s."+
" Make sure you are specifying https://%s in your config (if you haven't already)."+
" If you meant to serve tls on port 80,"+
" specify port 80 in your config (https://%s:80).", c.Host, c.Host, c.Host)
}
for c.Next() {
if !c.NextArg() {
return nil, c.ArgErr()
}
c.TLS.Certificate = c.Val()
if !c.NextArg() {
return nil, c.ArgErr()
}
c.TLS.Key = c.Val()
// Optional block
for c.NextBlock() {
switch c.Val() {
case "protocols":
args := c.RemainingArgs()
if len(args) != 2 {
return nil, c.ArgErr()
}
value, ok := supportedProtocols[strings.ToLower(args[0])]
if !ok {
return nil, c.ArgErr()
}
c.TLS.ProtocolMinVersion = value
value, ok = supportedProtocols[strings.ToLower(args[1])]
if !ok {
return nil, c.ArgErr()
}
c.TLS.ProtocolMaxVersion = value
case "ciphers":
for c.NextArg() {
value, ok := supportedCiphers[strings.ToUpper(c.Val())]
if !ok {
return nil, c.ArgErr()
}
c.TLS.Ciphers = append(c.TLS.Ciphers, value)
}
case "cache":
if !c.NextArg() {
return nil, c.ArgErr()
}
c.TLS.CacheSize, _ = strconv.Atoi(c.Val())
default:
return nil, c.ArgErr()
}
}
}
// If no Ciphers provided, use all caddy supportedCiphers
if len(c.TLS.Ciphers) == 0 {
for _, v := range supportedCiphers {
c.TLS.Ciphers = append(c.TLS.Ciphers, v)
}
}
// If no ProtocolMin provided, set default MinVersion to TLSv1.1 for security reasons
if c.TLS.ProtocolMinVersion == 0 {
c.TLS.ProtocolMinVersion = tls.VersionTLS11
}
//If no ProtocolMax provided, use crypto/tls default MaxVersion(tls1.2)
if c.TLS.ProtocolMaxVersion == 0 {
c.TLS.ProtocolMaxVersion = tls.VersionTLS12
}
//If no cachesize provided, set default to 64
if c.TLS.CacheSize == 0 {
c.TLS.CacheSize = 64
}
return nil, nil
}