From 1e27b5be8907021b44b307f216f6b86df5db1adc Mon Sep 17 00:00:00 2001 From: Pavel Pavlenko Date: Sat, 19 Dec 2015 14:30:25 +0300 Subject: [PATCH] Remove ECDHE-RSA-3DES-EDE-CBC-SHA and RSA-3DES-EDE-CBC-SHA from the default TLS config --- caddy/setup/tls.go | 17 +++++++++++++---- caddy/setup/tls_test.go | 6 ++---- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/caddy/setup/tls.go b/caddy/setup/tls.go index abec2d523..79954de48 100644 --- a/caddy/setup/tls.go +++ b/caddy/setup/tls.go @@ -90,10 +90,7 @@ func TLS(c *Controller) (middleware.Middleware, error) { func SetDefaultTLSParams(c *server.Config) { // If no ciphers provided, use all that Caddy supports for the protocol if len(c.TLS.Ciphers) == 0 { - c.TLS.Ciphers = supportedCiphers - - // Remove ECDHE-RSA-3DES-EDE-CBC-SHA and RSA-3DES-EDE-CBC-SHA from the default TLS config - c.TLS.Ciphers = c.TLS.Ciphers[:len(c.TLS.Ciphers)-2] + c.TLS.Ciphers = defaultCiphers } // Not a cipher suite, but still important for mitigating protocol downgrade attacks @@ -162,3 +159,15 @@ var supportedCiphers = []uint16{ tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, } + +// List of all the ciphers we want to use by default +var defaultCiphers = []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, +} diff --git a/caddy/setup/tls_test.go b/caddy/setup/tls_test.go index 629937016..8e2ececed 100644 --- a/caddy/setup/tls_test.go +++ b/caddy/setup/tls_test.go @@ -42,15 +42,13 @@ func TestTLSParseBasic(t *testing.T) { tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, - //tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - //tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_FALLBACK_SCSV, } // Ensure count is correct (plus one for TLS_FALLBACK_SCSV) - if len(c.TLS.Ciphers) != len(supportedCiphers)-1 { + if len(c.TLS.Ciphers) != len(defaultCiphers) { t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v", - len(supportedCiphers)-1, len(c.TLS.Ciphers)) + len(defaultCiphers), len(c.TLS.Ciphers)) } // Ensure ordering is correct