diff options
author | Daniel Schalla <daniel@schalla.me> | 2018-10-16 16:51:46 +0200 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2018-10-16 07:51:46 -0700 |
commit | 557fd9ea187b1279b43ff63b94fedf2320aa3351 (patch) | |
tree | 463fdbd5aefba8f94a61fb1338bf5e7bd123a5f6 /app/server.go | |
parent | cedf6488e4d4d66c186facb4253513b1f7e775c6 (diff) | |
download | chat-557fd9ea187b1279b43ff63b94fedf2320aa3351.tar.gz chat-557fd9ea187b1279b43ff63b94fedf2320aa3351.tar.bz2 chat-557fd9ea187b1279b43ff63b94fedf2320aa3351.zip |
Set default ciphers, set tls 1.2 via config, set curve prefs (#9315)
Config Checks at StartUp Part1
Config Checks; Tests for TLS Server
HSTS header implementation + tests
make gofmt happy with new go version...
make gofmt happy with new go version #2...
fix logic bug
fix typo
Fix unnecessary code block
Diffstat (limited to 'app/server.go')
-rw-r--r-- | app/server.go | 65 |
1 files changed, 57 insertions, 8 deletions
diff --git a/app/server.go b/app/server.go index debb6764f..b95059c84 100644 --- a/app/server.go +++ b/app/server.go @@ -46,7 +46,7 @@ type Server struct { didFinishListen chan struct{} } -var corsAllowedMethods []string = []string{ +var corsAllowedMethods = []string{ "POST", "GET", "OPTIONS", @@ -199,26 +199,75 @@ func (a *App) StartServer() error { go func() { var err error if *a.Config().ServiceSettings.ConnectionSecurity == model.CONN_SECURITY_TLS { - if *a.Config().ServiceSettings.UseLetsEncrypt { - tlsConfig := &tls.Config{ - GetCertificate: m.GetCertificate, + tlsConfig := &tls.Config{ + PreferServerCipherSuites: true, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + } + + switch *a.Config().ServiceSettings.TLSMinVer { + case "1.0": + tlsConfig.MinVersion = tls.VersionTLS10 + case "1.1": + tlsConfig.MinVersion = tls.VersionTLS11 + default: + tlsConfig.MinVersion = tls.VersionTLS12 + } + + defaultCiphers := []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + } + + if len(a.Config().ServiceSettings.TLSOverwriteCiphers) == 0 { + tlsConfig.CipherSuites = defaultCiphers + } else { + var cipherSuites []uint16 + for _, cipher := range a.Config().ServiceSettings.TLSOverwriteCiphers { + value, ok := model.ServerTLSSupportedCiphers[cipher] + + if !ok { + mlog.Warn("Unsupported cipher passed", mlog.String("cipher", cipher)) + continue + } + + cipherSuites = append(cipherSuites, value) } - tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2") + if len(cipherSuites) == 0 { + mlog.Warn("No supported ciphers passed, fallback to default cipher suite") + cipherSuites = defaultCiphers + } + + tlsConfig.CipherSuites = cipherSuites + } + + certFile := "" + keyFile := "" - a.Srv.Server.TLSConfig = tlsConfig - err = a.Srv.Server.ServeTLS(listener, "", "") + if *a.Config().ServiceSettings.UseLetsEncrypt { + tlsConfig.GetCertificate = m.GetCertificate + tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2") } else { - err = a.Srv.Server.ServeTLS(listener, *a.Config().ServiceSettings.TLSCertFile, *a.Config().ServiceSettings.TLSKeyFile) + certFile = *a.Config().ServiceSettings.TLSCertFile + keyFile = *a.Config().ServiceSettings.TLSKeyFile } + + a.Srv.Server.TLSConfig = tlsConfig + err = a.Srv.Server.ServeTLS(listener, certFile, keyFile) } else { err = a.Srv.Server.Serve(listener) } + if err != nil && err != http.ErrServerClosed { mlog.Critical(fmt.Sprintf("Error starting server, err:%v", err)) time.Sleep(time.Second) } + close(a.Srv.didFinishListen) }() |