Merge: + DNS, Web: use only secure TLSv1.2 ciphers
Close #1384
Squashed commit of the following:
commit cd90abcce573a8e930446ba153565e553e6b81d5
Author: Simon Zolin <s.zolin@adguard.com>
Date: Fri Mar 20 19:17:53 2020 +0300
minor
commit a1914c5f41425e82cdedc9716bce84470afab65b
Merge: 72c53673 c8285c41
Author: Simon Zolin <s.zolin@adguard.com>
Date: Fri Mar 20 19:17:21 2020 +0300
Merge remote-tracking branch 'origin/master' into 1384-tls12-ciphers
commit 72c536737e0502bb397562ade47aedb9f2ae4494
Author: Simon Zolin <s.zolin@adguard.com>
Date: Wed Mar 4 18:16:24 2020 +0300
+ DNS, Web: use only secure TLSv1.2 ciphers
This commit is contained in:
parent
c8285c41d7
commit
06b3378fd7
|
@ -186,6 +186,7 @@ type ServerConfig struct {
|
||||||
TLSAllowUnencryptedDOH bool
|
TLSAllowUnencryptedDOH bool
|
||||||
|
|
||||||
TLSv12Roots *x509.CertPool // list of root CAs for TLSv1.2
|
TLSv12Roots *x509.CertPool // list of root CAs for TLSv1.2
|
||||||
|
TLSCiphers []uint16 // list of TLS ciphers to use
|
||||||
|
|
||||||
// Called when the configuration is changed by HTTP request
|
// Called when the configuration is changed by HTTP request
|
||||||
ConfigModified func()
|
ConfigModified func()
|
||||||
|
@ -348,6 +349,7 @@ func (s *Server) Prepare(config *ServerConfig) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
upstream.RootCAs = s.conf.TLSv12Roots
|
upstream.RootCAs = s.conf.TLSv12Roots
|
||||||
|
upstream.CipherSuites = s.conf.TLSCiphers
|
||||||
|
|
||||||
if len(proxyConfig.Upstreams) == 0 {
|
if len(proxyConfig.Upstreams) == 0 {
|
||||||
log.Fatal("len(proxyConfig.Upstreams) == 0")
|
log.Fatal("len(proxyConfig.Upstreams) == 0")
|
||||||
|
|
|
@ -172,6 +172,7 @@ func generateServerConfig() dnsforward.ServerConfig {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
newconfig.TLSv12Roots = Context.tlsRoots
|
newconfig.TLSv12Roots = Context.tlsRoots
|
||||||
|
newconfig.TLSCiphers = Context.tlsCiphers
|
||||||
newconfig.TLSAllowUnencryptedDOH = tlsConf.AllowUnencryptedDOH
|
newconfig.TLSAllowUnencryptedDOH = tlsConf.AllowUnencryptedDOH
|
||||||
|
|
||||||
newconfig.FilterHandler = applyAdditionalFiltering
|
newconfig.FilterHandler = applyAdditionalFiltering
|
||||||
|
|
|
@ -80,6 +80,7 @@ type homeContext struct {
|
||||||
disableUpdate bool // If set, don't check for updates
|
disableUpdate bool // If set, don't check for updates
|
||||||
controlLock sync.Mutex
|
controlLock sync.Mutex
|
||||||
tlsRoots *x509.CertPool // list of root CAs for TLSv1.2
|
tlsRoots *x509.CertPool // list of root CAs for TLSv1.2
|
||||||
|
tlsCiphers []uint16 // list of TLS ciphers to use
|
||||||
transport *http.Transport
|
transport *http.Transport
|
||||||
client *http.Client
|
client *http.Client
|
||||||
appSignalChannel chan os.Signal // Channel for receiving OS signals by the console app
|
appSignalChannel chan os.Signal // Channel for receiving OS signals by the console app
|
||||||
|
@ -174,6 +175,7 @@ func run(args options) {
|
||||||
initConfig()
|
initConfig()
|
||||||
|
|
||||||
Context.tlsRoots = util.LoadSystemRootCAs()
|
Context.tlsRoots = util.LoadSystemRootCAs()
|
||||||
|
Context.tlsCiphers = util.InitTLSCiphers()
|
||||||
Context.transport = &http.Transport{
|
Context.transport = &http.Transport{
|
||||||
DialContext: customDialContext,
|
DialContext: customDialContext,
|
||||||
Proxy: getHTTPProxy,
|
Proxy: getHTTPProxy,
|
||||||
|
|
|
@ -176,6 +176,7 @@ func (w *Web) httpServerLoop() {
|
||||||
Certificates: []tls.Certificate{w.httpsServer.cert},
|
Certificates: []tls.Certificate{w.httpsServer.cert},
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
RootCAs: Context.tlsRoots,
|
RootCAs: Context.tlsRoots,
|
||||||
|
CipherSuites: Context.tlsCiphers,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
50
util/tls.go
50
util/tls.go
|
@ -1,12 +1,14 @@
|
||||||
package util
|
package util
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
"github.com/AdguardTeam/golibs/log"
|
"github.com/AdguardTeam/golibs/log"
|
||||||
|
"golang.org/x/sys/cpu"
|
||||||
)
|
)
|
||||||
|
|
||||||
// LoadSystemRootCAs - load root CAs from the system
|
// LoadSystemRootCAs - load root CAs from the system
|
||||||
|
@ -45,3 +47,51 @@ func LoadSystemRootCAs() *x509.CertPool {
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// InitTLSCiphers - the same as initDefaultCipherSuites() from src/crypto/tls/common.go
|
||||||
|
// but with the difference that we don't use so many other default ciphers.
|
||||||
|
func InitTLSCiphers() []uint16 {
|
||||||
|
var ciphers []uint16
|
||||||
|
|
||||||
|
// Check the cpu flags for each platform that has optimized GCM implementations.
|
||||||
|
// Worst case, these variables will just all be false.
|
||||||
|
var (
|
||||||
|
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
|
||||||
|
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
|
||||||
|
// Keep in sync with crypto/aes/cipher_s390x.go.
|
||||||
|
hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
|
||||||
|
|
||||||
|
hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
|
||||||
|
)
|
||||||
|
|
||||||
|
if hasGCMAsm {
|
||||||
|
// If AES-GCM hardware is provided then prioritise AES-GCM
|
||||||
|
// cipher suites.
|
||||||
|
ciphers = []uint16{
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Without AES-GCM hardware, we put the ChaCha20-Poly1305
|
||||||
|
// cipher suites first.
|
||||||
|
ciphers = []uint16{
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
otherCiphers := []uint16{
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
}
|
||||||
|
ciphers = append(ciphers, otherCiphers...)
|
||||||
|
return ciphers
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue