mirror of https://github.com/caddyserver/caddy.git
tls: Enable TLS 1.3 by default; set sane defaults on tls.Config structs
This commit is contained in:
Matthew Holt
parent
9f8d3611eb
commit
533d1afb4b
|
|
@ -132,6 +132,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
|
||||||
}
|
}
|
||||||
tlsApp := tlsAppIface.(*TLS)
|
tlsApp := tlsAppIface.(*TLS)
|
||||||
|
|
||||||
|
// fill in some "easy" default values, but for other values
|
||||||
|
// (such as slices), we should ensure that they start empty
|
||||||
|
// so the user-provided config can fill them in; then we will
|
||||||
|
// fill in a default config at the end if they are still unset
|
||||||
cfg := &tls.Config{
|
cfg := &tls.Config{
|
||||||
NextProtos: p.ALPN,
|
NextProtos: p.ALPN,
|
||||||
PreferServerCipherSuites: true,
|
PreferServerCipherSuites: true,
|
||||||
|
|
@ -210,11 +214,39 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
|
||||||
|
|
||||||
// TODO: client auth, and other fields
|
// TODO: client auth, and other fields
|
||||||
|
|
||||||
|
setDefaultTLSParams(cfg)
|
||||||
|
|
||||||
p.stdTLSConfig = cfg
|
p.stdTLSConfig = cfg
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// setDefaultTLSParams sets the default TLS cipher suites, protocol versions,
|
||||||
|
// and server preferences of cfg if they are not already set; it does not
|
||||||
|
// overwrite values, only fills in missing values.
|
||||||
|
func setDefaultTLSParams(cfg *tls.Config) {
|
||||||
|
if len(cfg.CipherSuites) == 0 {
|
||||||
|
cfg.CipherSuites = getOptimalDefaultCipherSuites()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Not a cipher suite, but still important for mitigating protocol downgrade attacks
|
||||||
|
// (prepend since having it at end breaks http2 due to non-h2-approved suites before it)
|
||||||
|
cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
|
||||||
|
|
||||||
|
if len(cfg.CurvePreferences) == 0 {
|
||||||
|
cfg.CurvePreferences = defaultCurves
|
||||||
|
}
|
||||||
|
|
||||||
|
if cfg.MinVersion == 0 {
|
||||||
|
cfg.MinVersion = tls.VersionTLS12
|
||||||
|
}
|
||||||
|
if cfg.MaxVersion == 0 {
|
||||||
|
cfg.MaxVersion = tls.VersionTLS13
|
||||||
|
}
|
||||||
|
|
||||||
|
cfg.PreferServerCipherSuites = true
|
||||||
|
}
|
||||||
|
|
||||||
// PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
|
// PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
|
||||||
type PublicKeyAlgorithm x509.PublicKeyAlgorithm
|
type PublicKeyAlgorithm x509.PublicKeyAlgorithm
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,9 @@ import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/caddyserver/caddy"
|
"github.com/caddyserver/caddy"
|
||||||
|
|
@ -32,6 +34,12 @@ func init() {
|
||||||
Name: "tls",
|
Name: "tls",
|
||||||
New: func() interface{} { return new(TLS) },
|
New: func() interface{} { return new(TLS) },
|
||||||
})
|
})
|
||||||
|
|
||||||
|
// opt-in TLS 1.3 for Go1.12
|
||||||
|
// TODO: remove this line when Go1.13 is released.
|
||||||
|
if err := os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1"); err != nil {
|
||||||
|
log.Println("[ERROR] failed to set environment variable: ", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TLS represents a process-wide TLS configuration.
|
// TLS represents a process-wide TLS configuration.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue