USEFULL/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-05-24 16:30:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

tls: update default CurvePreferences and CipherSuites (#5850)

Browse Source 
* Enable X25519 curve and reorder curve list to improve key exchange performance
* Enable ECDSA ciphers for EC certs
* Enable CHACHA20_POLY1305 ciphers
* Disable RSA key exchange algorithm which don't provide PFS
* Disable non-AEAD ciphers

Signed-off-by: Kasei Wang <kasei@kasei.im>
This commit is contained in:
Kasei 2019-11-06 15:09:29 +08:00 committed by Unknwon
parent 9578a3cc31
commit dbc66d0405
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/cmd/web.go
View File

@ -719,13 +719,15 @@ func runWeb(c *cli.Context) error {
} }
server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{ server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
MinVersion: tlsMinVersion, MinVersion: tlsMinVersion,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, CurvePreferences: []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521},
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
CipherSuites: []uint16{ CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // Required for HTTP/2 support. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
}, },
}, Handler: m} }, Handler: m}
err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile) err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile)