changes done as per review comments
This commit is contained in:
parent
24eb3476db
commit
15b19ff726
13
CHANGELOG.md
13
CHANGELOG.md
|
@ -22,9 +22,18 @@ and this project adheres to
|
||||||
|
|
||||||
See also the [v0.107.16 GitHub milestone][ms-v0.107.15].
|
See also the [v0.107.16 GitHub milestone][ms-v0.107.15].
|
||||||
|
|
||||||
[ms-v0.107.16]: https://github.com/AdguardTeam/AdGuardHome/milestone/52?closed=1
|
[ms-v0.107.16]: https://github.com/AdguardTeam/AdGuardHome/milestone/52?closed=
|
||||||
-->
|
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- The new optional `tls.override_tls_ciphers` property list, which can be set in
|
||||||
|
the configuration file. It allows overriding TLS Ciphers that are used for
|
||||||
|
https listeners ([#4925])
|
||||||
|
|
||||||
|
[#4925]: https://github.com/AdguardTeam/AdGuardHome/issues/4925
|
||||||
|
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
|
|
||||||
## [v0.107.15] - 2022-10-03
|
## [v0.107.15] - 2022-10-03
|
||||||
|
|
|
@ -34,11 +34,14 @@ func SaferCipherSuites() (safe []uint16) {
|
||||||
return safe
|
return safe
|
||||||
}
|
}
|
||||||
|
|
||||||
func UserPreferredCipherSuites(ciphers []string) (userCiphers []uint16) {
|
// ParseCipherIDs returns a set of cipher suites with the cipher names provided
|
||||||
|
func ParseCipherIDs(ciphers []string) (userCiphers []uint16) {
|
||||||
for _, s := range tls.CipherSuites() {
|
for _, s := range tls.CipherSuites() {
|
||||||
if slices.Contains(ciphers, s.Name) {
|
if slices.Contains(ciphers, s.Name) {
|
||||||
userCiphers = append(userCiphers, s.ID)
|
userCiphers = append(userCiphers, s.ID)
|
||||||
log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID)
|
log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID)
|
||||||
|
} else {
|
||||||
|
log.Error("unknown cipher : %s ", s)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -166,8 +166,10 @@ type TLSConfig struct {
|
||||||
// DNS names from certificate (SAN) or CN value from Subject
|
// DNS names from certificate (SAN) or CN value from Subject
|
||||||
dnsNames []string
|
dnsNames []string
|
||||||
|
|
||||||
// ciphers specified by user
|
// OverrideTLSCiphers holds the cipher names. If the slice is empty
|
||||||
TLSCiphers []string `yaml:"tls_ciphers" json:"-"`
|
// default set of ciphers are used for https listener, else this is
|
||||||
|
// considered.
|
||||||
|
OverrideTLSCiphers []string `yaml:"override_tls_ciphers" json:"-"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// DNSCryptConfig is the DNSCrypt server configuration struct.
|
// DNSCryptConfig is the DNSCrypt server configuration struct.
|
||||||
|
|
|
@ -383,7 +383,7 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) {
|
||||||
clientBetaFS: clientBetaFS,
|
clientBetaFS: clientBetaFS,
|
||||||
|
|
||||||
serveHTTP3: config.DNS.ServeHTTP3,
|
serveHTTP3: config.DNS.ServeHTTP3,
|
||||||
tlsCiphers: config.TLS.TLSCiphers,
|
tlsCiphers: getTLSCiphers(),
|
||||||
}
|
}
|
||||||
|
|
||||||
web = newWeb(&webConf)
|
web = newWeb(&webConf)
|
||||||
|
@ -888,3 +888,16 @@ type jsonError struct {
|
||||||
// Message is the error message, an opaque string.
|
// Message is the error message, an opaque string.
|
||||||
Message string `json:"message"`
|
Message string `json:"message"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getTLSCiphers check for overriden tls ciphers, if the slice is
|
||||||
|
// empty, then default safe ciphers are used
|
||||||
|
func getTLSCiphers() []uint16 {
|
||||||
|
var cipher []uint16
|
||||||
|
|
||||||
|
if len(config.TLS.OverrideTLSCiphers) == 0 {
|
||||||
|
cipher = aghtls.SaferCipherSuites()
|
||||||
|
} else {
|
||||||
|
cipher = aghtls.ParseCipherIDs(config.TLS.OverrideTLSCiphers)
|
||||||
|
}
|
||||||
|
return cipher
|
||||||
|
}
|
||||||
|
|
|
@ -11,7 +11,6 @@ import (
|
||||||
|
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
|
|
||||||
"github.com/AdguardTeam/golibs/errors"
|
"github.com/AdguardTeam/golibs/errors"
|
||||||
"github.com/AdguardTeam/golibs/log"
|
"github.com/AdguardTeam/golibs/log"
|
||||||
"github.com/AdguardTeam/golibs/netutil"
|
"github.com/AdguardTeam/golibs/netutil"
|
||||||
|
@ -34,6 +33,10 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
type webConfig struct {
|
type webConfig struct {
|
||||||
|
|
||||||
|
// Ciphers that are used for https listener
|
||||||
|
tlsCiphers []uint16
|
||||||
|
|
||||||
clientFS fs.FS
|
clientFS fs.FS
|
||||||
clientBetaFS fs.FS
|
clientBetaFS fs.FS
|
||||||
|
|
||||||
|
@ -57,9 +60,6 @@ type webConfig struct {
|
||||||
firstRun bool
|
firstRun bool
|
||||||
|
|
||||||
serveHTTP3 bool
|
serveHTTP3 bool
|
||||||
|
|
||||||
// ciphers specified by user
|
|
||||||
tlsCiphers []string
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// httpsServer contains the data for the HTTPS server.
|
// httpsServer contains the data for the HTTPS server.
|
||||||
|
@ -291,14 +291,6 @@ func (web *Web) tlsServerLoop() {
|
||||||
|
|
||||||
web.httpsServer.cond.L.Unlock()
|
web.httpsServer.cond.L.Unlock()
|
||||||
|
|
||||||
var cipher []uint16
|
|
||||||
|
|
||||||
if len(web.conf.tlsCiphers) == 0 {
|
|
||||||
cipher = aghtls.SaferCipherSuites()
|
|
||||||
} else {
|
|
||||||
cipher = aghtls.UserPreferredCipherSuites(web.conf.tlsCiphers)
|
|
||||||
}
|
|
||||||
|
|
||||||
addr := netutil.JoinHostPort(web.conf.BindHost.String(), web.conf.PortHTTPS)
|
addr := netutil.JoinHostPort(web.conf.BindHost.String(), web.conf.PortHTTPS)
|
||||||
web.httpsServer.server = &http.Server{
|
web.httpsServer.server = &http.Server{
|
||||||
ErrorLog: log.StdLog("web: https", log.DEBUG),
|
ErrorLog: log.StdLog("web: https", log.DEBUG),
|
||||||
|
@ -306,7 +298,7 @@ func (web *Web) tlsServerLoop() {
|
||||||
TLSConfig: &tls.Config{
|
TLSConfig: &tls.Config{
|
||||||
Certificates: []tls.Certificate{web.httpsServer.cert},
|
Certificates: []tls.Certificate{web.httpsServer.cert},
|
||||||
RootCAs: Context.tlsRoots,
|
RootCAs: Context.tlsRoots,
|
||||||
CipherSuites: cipher,
|
CipherSuites: web.conf.tlsCiphers,
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
},
|
},
|
||||||
Handler: withMiddlewares(Context.mux, limitRequestBody),
|
Handler: withMiddlewares(Context.mux, limitRequestBody),
|
||||||
|
@ -318,7 +310,7 @@ func (web *Web) tlsServerLoop() {
|
||||||
printHTTPAddresses(aghhttp.SchemeHTTPS)
|
printHTTPAddresses(aghhttp.SchemeHTTPS)
|
||||||
|
|
||||||
if web.conf.serveHTTP3 {
|
if web.conf.serveHTTP3 {
|
||||||
go web.mustStartHTTP3(addr, cipher)
|
go web.mustStartHTTP3(addr)
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Debug("web: starting https server")
|
log.Debug("web: starting https server")
|
||||||
|
@ -330,7 +322,7 @@ func (web *Web) tlsServerLoop() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (web *Web) mustStartHTTP3(address string, ciphers []uint16) {
|
func (web *Web) mustStartHTTP3(address string) {
|
||||||
defer log.OnPanic("web: http3")
|
defer log.OnPanic("web: http3")
|
||||||
|
|
||||||
web.httpsServer.server3 = &http3.Server{
|
web.httpsServer.server3 = &http3.Server{
|
||||||
|
@ -340,7 +332,7 @@ func (web *Web) mustStartHTTP3(address string, ciphers []uint16) {
|
||||||
TLSConfig: &tls.Config{
|
TLSConfig: &tls.Config{
|
||||||
Certificates: []tls.Certificate{web.httpsServer.cert},
|
Certificates: []tls.Certificate{web.httpsServer.cert},
|
||||||
RootCAs: Context.tlsRoots,
|
RootCAs: Context.tlsRoots,
|
||||||
CipherSuites: ciphers,
|
CipherSuites: web.conf.tlsCiphers,
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
},
|
},
|
||||||
Handler: withMiddlewares(Context.mux, limitRequestBody),
|
Handler: withMiddlewares(Context.mux, limitRequestBody),
|
||||||
|
|
Loading…
Reference in New Issue