Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-11-04 03:27:23 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls: Enable TLS 1.3 by default; set sane defaults on tls.Config structs

Browse Source
This commit is contained in:
Matthew Holt 2019-07-01 11:47:46 -06:00
parent 9f8d3611eb
commit 533d1afb4b
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
modules/caddytls/connpolicy.go
View File

@ -132,6 +132,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
} }
tlsApp := tlsAppIface.(*TLS) tlsApp := tlsAppIface.(*TLS)
// fill in some "easy" default values, but for other values
// (such as slices), we should ensure that they start empty
// so the user-provided config can fill them in; then we will
// fill in a default config at the end if they are still unset
cfg := &tls.Config{ cfg := &tls.Config{
NextProtos: p.ALPN, NextProtos: p.ALPN,
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
@ -210,11 +214,39 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
// TODO: client auth, and other fields // TODO: client auth, and other fields
setDefaultTLSParams(cfg)
p.stdTLSConfig = cfg p.stdTLSConfig = cfg
return nil return nil
} }
// setDefaultTLSParams sets the default TLS cipher suites, protocol versions,
// and server preferences of cfg if they are not already set; it does not
// overwrite values, only fills in missing values.
func setDefaultTLSParams(cfg *tls.Config) {
if len(cfg.CipherSuites) == 0 {
cfg.CipherSuites = getOptimalDefaultCipherSuites()
}
// Not a cipher suite, but still important for mitigating protocol downgrade attacks
// (prepend since having it at end breaks http2 due to non-h2-approved suites before it)
cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
if len(cfg.CurvePreferences) == 0 {
cfg.CurvePreferences = defaultCurves
}
if cfg.MinVersion == 0 {
cfg.MinVersion = tls.VersionTLS12
}
if cfg.MaxVersion == 0 {
cfg.MaxVersion = tls.VersionTLS13
}
cfg.PreferServerCipherSuites = true
}
// PublicKeyAlgorithm is a JSON-unmarshalable wrapper type. // PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
type PublicKeyAlgorithm x509.PublicKeyAlgorithm type PublicKeyAlgorithm x509.PublicKeyAlgorithm

8
modules/caddytls/tls.go
View File

@ -18,7 +18,9 @@ import (
"crypto/tls" "crypto/tls"
"encoding/json" "encoding/json"
"fmt" "fmt"
"log"
"net/http" "net/http"
"os"
"time" "time"
"github.com/caddyserver/caddy" "github.com/caddyserver/caddy"
@ -32,6 +34,12 @@ func init() {
Name: "tls", Name: "tls",
New: func() interface{} { return new(TLS) }, New: func() interface{} { return new(TLS) },
}) })
// opt-in TLS 1.3 for Go1.12
// TODO: remove this line when Go1.13 is released.
if err := os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1"); err != nil {
log.Println("[ERROR] failed to set environment variable: ", err)
}
} }
// TLS represents a process-wide TLS configuration. // TLS represents a process-wide TLS configuration.