added support for User prefered Ciphers

This commit is contained in:
Rahul Somasundaram 2022-09-22 08:28:46 +05:30
parent 91bbb744dc
commit 59d18c6598
No known key found for this signature in database
GPG Key ID: AA8F0B27E83147BD
4 changed files with 32 additions and 2 deletions

View File

@ -1,7 +1,12 @@
// Package aghtls contains utilities for work with TLS.
package aghtls
import "crypto/tls"
import (
"crypto/tls"
"github.com/AdguardTeam/golibs/log"
"golang.org/x/exp/slices"
)
// SaferCipherSuites returns a set of default cipher suites with vulnerable and
// weak cipher suites removed.
@ -28,3 +33,14 @@ func SaferCipherSuites() (safe []uint16) {
return safe
}
func UserPreferedCipherSuites(ciphers []string) (userCiphers []uint16) {
for _, s := range tls.CipherSuites() {
if slices.Contains(ciphers, s.Name) {
userCiphers = append(userCiphers, s.ID)
log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID)
}
}
return userCiphers
}

View File

@ -165,6 +165,9 @@ type TLSConfig struct {
cert tls.Certificate
// DNS names from certificate (SAN) or CN value from Subject
dnsNames []string
// ciphers specified by user
TLSCiphers []string `yaml:"tls_ciphers" json:"-"`
}
// DNSCryptConfig is the DNSCrypt server configuration struct.

View File

@ -366,6 +366,7 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) {
clientFS: clientFS,
clientBetaFS: clientBetaFS,
tlsCiphers: config.TLS.TLSCiphers,
}
web = CreateWeb(&webConf)

View File

@ -58,6 +58,9 @@ type webConfig struct {
WriteTimeout time.Duration
firstRun bool
// ciphers specified by user
tlsCiphers []string
}
// HTTPSServer - HTTPS Server
@ -269,6 +272,13 @@ func (web *Web) tlsServerLoop() {
web.httpsServer.cond.L.Unlock()
var cipher []uint16
if len(web.conf.tlsCiphers) == 0 {
cipher = aghtls.SaferCipherSuites()
} else {
cipher = aghtls.UserPreferedCipherSuites(web.conf.tlsCiphers)
}
// prepare HTTPS server
address := netutil.JoinHostPort(web.conf.BindHost.String(), web.conf.PortHTTPS)
web.httpsServer.server = &http.Server{
@ -277,7 +287,7 @@ func (web *Web) tlsServerLoop() {
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{web.httpsServer.cert},
RootCAs: Context.tlsRoots,
CipherSuites: aghtls.SaferCipherSuites(),
CipherSuites: cipher,
MinVersion: tls.VersionTLS12,
},
Handler: withMiddlewares(Context.mux, limitRequestBody),