changed based on review

1. exit AG is user defined cipher is invalid
2. updated changelog
3. golang naming tweaks

CHANGELOG.md

@@ -11,6 +11,15 @@ and this project adheres to
 
 ## [Unreleased]
 
+
+### Added
+
+- The new optional `tls.override_tls_ciphers` property list, which can be set in
+  the configuration file.  It allows overriding TLS Ciphers that are used for
+  https listeners ([#4925])
+
+[#4925]: https://github.com/AdguardTeam/AdGuardHome/issues/4925
+
 <!--
 ## [v0.108.0] - TBA (APPROX.)
 -->
@@ -24,15 +33,6 @@ See also the [v0.107.16 GitHub milestone][ms-v0.107.15].
 
 [ms-v0.107.16]:   https://github.com/AdguardTeam/AdGuardHome/milestone/52?closed=
 
-### Added
-
-- The new optional `tls.override_tls_ciphers` property list, which can be set in
-  the configuration file.  It allows overriding TLS Ciphers that are used for
-  https listeners ([#4925])
-
-[#4925]: https://github.com/AdguardTeam/AdGuardHome/issues/4925
-
-
 -->
 
 

internal/aghtls/aghtls.go

@@ -3,9 +3,7 @@ package aghtls
 
 import (
 	"crypto/tls"
-
+	"fmt"
-	"github.com/AdguardTeam/golibs/log"
-	"golang.org/x/exp/slices"
 )
 
 // SaferCipherSuites returns a set of default cipher suites with vulnerable and
@@ -35,15 +33,26 @@ func SaferCipherSuites() (safe []uint16) {
 }
 
 // ParseCipherIDs returns a set of cipher suites with the cipher names provided
-func ParseCipherIDs(ciphers []string) (userCiphers []uint16) {
+func ParseCipherIDs(ciphers []string) (userCiphers []uint16, err error) {
-	for _, s := range tls.CipherSuites() {
+	for _, cipher := range ciphers {
-		if slices.Contains(ciphers, s.Name) {
+		exists, cipherID := CipherExists(cipher)
-			userCiphers = append(userCiphers, s.ID)
+		if exists {
-			log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID)
+			userCiphers = append(userCiphers, cipherID)
 		} else {
-			log.Error("unknown cipher : %s ", s)
+			return nil, fmt.Errorf("unknown cipher : %s ", cipher)
 		}
 	}
 
-	return userCiphers
+	return userCiphers, nil
+}
+
+// CipherExists returns cipherid if exists, else return false in boolean
+func CipherExists(cipher string) (exists bool, cipherID uint16) {
+	for _, s := range tls.CipherSuites() {
+		if s.Name == cipher {
+			return true, s.ID
+		}
+	}
+
+	return false, 0
 }

internal/home/home.go

@@ -369,6 +369,11 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) {
 		}
 	}
 
+	tlsCiphers, err := getTLSCiphers()
+	if err != nil {
+		return nil, err
+	}
+
 	webConf := webConfig{
 		firstRun:     Context.firstRun,
 		BindHost:     config.BindHost,
@@ -383,7 +388,7 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) {
 		clientBetaFS: clientBetaFS,
 
 		serveHTTP3: config.DNS.ServeHTTP3,
-		tlsCiphers: getTLSCiphers(),
+		tlsCiphers: tlsCiphers,
 	}
 
 	web = newWeb(&webConf)
@@ -889,15 +894,13 @@ type jsonError struct {
 	Message string `json:"message"`
 }
 
-// getTLSCiphers check for overriden tls ciphers, if the slice is
+// getTLSCiphers check for overridden tls ciphers, if the slice is
 // empty, then default safe ciphers are used
-func getTLSCiphers() []uint16 {
+func getTLSCiphers() (cipherIds []uint16, err error) {
-	var cipher []uint16
-
 	if len(config.TLS.OverrideTLSCiphers) == 0 {
-		cipher = aghtls.SaferCipherSuites()
+		return aghtls.SaferCipherSuites(), nil
 	} else {
-		cipher = aghtls.ParseCipherIDs(config.TLS.OverrideTLSCiphers)
+		log.Info("Overriding TLS Ciphers : %s", config.TLS.OverrideTLSCiphers)
+		return aghtls.ParseCipherIDs(config.TLS.OverrideTLSCiphers)
 	}
-	return cipher
 }

internal/home/web.go

@@ -33,7 +33,6 @@ const (
 )
 
 type webConfig struct {
-
 	// Ciphers that are used for https listener
 	tlsCiphers []uint16