added support for User prefered Ciphers

2022-09-22 08:28:46 +05:30 · 2022-09-22 08:28:46 +05:30 · 59d18c6598
parent 91bbb744dc
commit 59d18c6598
4 changed files with 32 additions and 2 deletions
--- a/internal/aghtls/aghtls.go
+++ b/internal/aghtls/aghtls.go
@ -1,7 +1,12 @@
 // Package aghtls contains utilities for work with TLS.
 package aghtls

-import "crypto/tls"
+import (
+	"crypto/tls"
+
+	"github.com/AdguardTeam/golibs/log"
+	"golang.org/x/exp/slices"
+)

 // SaferCipherSuites returns a set of default cipher suites with vulnerable and
 // weak cipher suites removed.
@ -28,3 +33,14 @@ func SaferCipherSuites() (safe []uint16) {

 	return safe
 }
+
+func UserPreferedCipherSuites(ciphers []string) (userCiphers []uint16) {
+	for _, s := range tls.CipherSuites() {
+		if slices.Contains(ciphers, s.Name) {
+			userCiphers = append(userCiphers, s.ID)
+			log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID)
+		}
+	}
+
+	return userCiphers
+}
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@ -165,6 +165,9 @@ type TLSConfig struct {
 	cert tls.Certificate
 	// DNS names from certificate (SAN) or CN value from Subject
 	dnsNames []string
+
+	// ciphers specified by user
+	TLSCiphers []string `yaml:"tls_ciphers" json:"-"`
 }

 // DNSCryptConfig is the DNSCrypt server configuration struct.
--- a/internal/home/home.go
+++ b/internal/home/home.go
@ -366,6 +366,7 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) {

 		clientFS:     clientFS,
 		clientBetaFS: clientBetaFS,
+		tlsCiphers:   config.TLS.TLSCiphers,
 	}

 	web = CreateWeb(&webConf)
--- a/internal/home/web.go
+++ b/internal/home/web.go
@ -58,6 +58,9 @@ type webConfig struct {
 	WriteTimeout time.Duration

 	firstRun bool
+
+	// ciphers specified by user
+	tlsCiphers []string
 }

 // HTTPSServer - HTTPS Server
@ -269,6 +272,13 @@ func (web *Web) tlsServerLoop() {

 		web.httpsServer.cond.L.Unlock()

+		var cipher []uint16
+
+		if len(web.conf.tlsCiphers) == 0 {
+			cipher = aghtls.SaferCipherSuites()
+		} else {
+			cipher = aghtls.UserPreferedCipherSuites(web.conf.tlsCiphers)
+		}
 		// prepare HTTPS server
 		address := netutil.JoinHostPort(web.conf.BindHost.String(), web.conf.PortHTTPS)
 		web.httpsServer.server = &http.Server{
@ -277,7 +287,7 @@ func (web *Web) tlsServerLoop() {
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{web.httpsServer.cert},
 				RootCAs:      Context.tlsRoots,
-				CipherSuites: aghtls.SaferCipherSuites(),
+				CipherSuites: cipher,
 				MinVersion:   tls.VersionTLS12,
 			},
 			Handler:           withMiddlewares(Context.mux, limitRequestBody),