From b6c4178f0ab7c49abd6e795708beddaf7b766137 Mon Sep 17 00:00:00 2001 From: Pavel Pavlenko Date: Wed, 9 Dec 2015 11:10:55 +0300 Subject: [PATCH 1/4] Remove ECDHE-RSA-3DES-EDE-CBC-SHA and RSA-3DES-EDE-CBC-SHA from the default TLS config --- caddy/setup/tls.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/caddy/setup/tls.go b/caddy/setup/tls.go index 4e5f7f9d2..abec2d523 100644 --- a/caddy/setup/tls.go +++ b/caddy/setup/tls.go @@ -91,6 +91,9 @@ func SetDefaultTLSParams(c *server.Config) { // If no ciphers provided, use all that Caddy supports for the protocol if len(c.TLS.Ciphers) == 0 { c.TLS.Ciphers = supportedCiphers + + // Remove ECDHE-RSA-3DES-EDE-CBC-SHA and RSA-3DES-EDE-CBC-SHA from the default TLS config + c.TLS.Ciphers = c.TLS.Ciphers[:len(c.TLS.Ciphers)-2] } // Not a cipher suite, but still important for mitigating protocol downgrade attacks From e4ff77ed079a2a993b389097ff8dca259ea70404 Mon Sep 17 00:00:00 2001 From: Pavel Pavlenko Date: Wed, 9 Dec 2015 11:27:59 +0300 Subject: [PATCH 2/4] fix tls_test.go --- caddy/setup/tls_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/caddy/setup/tls_test.go b/caddy/setup/tls_test.go index fdea1e0c7..629937016 100644 --- a/caddy/setup/tls_test.go +++ b/caddy/setup/tls_test.go @@ -42,15 +42,15 @@ func TestTLSParseBasic(t *testing.T) { tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + //tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + //tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_FALLBACK_SCSV, } // Ensure count is correct (plus one for TLS_FALLBACK_SCSV) - if len(c.TLS.Ciphers) != len(supportedCiphers)+1 { + if len(c.TLS.Ciphers) != len(supportedCiphers)-1 { t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v", - len(supportedCiphers)+1, len(c.TLS.Ciphers)) + len(supportedCiphers)-1, len(c.TLS.Ciphers)) } // Ensure ordering is correct From 1e27b5be8907021b44b307f216f6b86df5db1adc Mon Sep 17 00:00:00 2001 From: Pavel Pavlenko Date: Sat, 19 Dec 2015 14:30:25 +0300 Subject: [PATCH 3/4] Remove ECDHE-RSA-3DES-EDE-CBC-SHA and RSA-3DES-EDE-CBC-SHA from the default TLS config --- caddy/setup/tls.go | 17 +++++++++++++---- caddy/setup/tls_test.go | 6 ++---- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/caddy/setup/tls.go b/caddy/setup/tls.go index abec2d523..79954de48 100644 --- a/caddy/setup/tls.go +++ b/caddy/setup/tls.go @@ -90,10 +90,7 @@ func TLS(c *Controller) (middleware.Middleware, error) { func SetDefaultTLSParams(c *server.Config) { // If no ciphers provided, use all that Caddy supports for the protocol if len(c.TLS.Ciphers) == 0 { - c.TLS.Ciphers = supportedCiphers - - // Remove ECDHE-RSA-3DES-EDE-CBC-SHA and RSA-3DES-EDE-CBC-SHA from the default TLS config - c.TLS.Ciphers = c.TLS.Ciphers[:len(c.TLS.Ciphers)-2] + c.TLS.Ciphers = defaultCiphers } // Not a cipher suite, but still important for mitigating protocol downgrade attacks @@ -162,3 +159,15 @@ var supportedCiphers = []uint16{ tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, } + +// List of all the ciphers we want to use by default +var defaultCiphers = []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, +} diff --git a/caddy/setup/tls_test.go b/caddy/setup/tls_test.go index 629937016..8e2ececed 100644 --- a/caddy/setup/tls_test.go +++ b/caddy/setup/tls_test.go @@ -42,15 +42,13 @@ func TestTLSParseBasic(t *testing.T) { tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, - //tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - //tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_FALLBACK_SCSV, } // Ensure count is correct (plus one for TLS_FALLBACK_SCSV) - if len(c.TLS.Ciphers) != len(supportedCiphers)-1 { + if len(c.TLS.Ciphers) != len(defaultCiphers) { t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v", - len(supportedCiphers)-1, len(c.TLS.Ciphers)) + len(defaultCiphers), len(c.TLS.Ciphers)) } // Ensure ordering is correct From 3dd4c0eb6a34e6fe0929296bd908fa7b31662406 Mon Sep 17 00:00:00 2001 From: Pavel Pavlenko Date: Sat, 19 Dec 2015 14:37:38 +0300 Subject: [PATCH 4/4] Fix TestTLSParseBasic --- caddy/setup/tls_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/caddy/setup/tls_test.go b/caddy/setup/tls_test.go index 8e2ececed..e2d2e0155 100644 --- a/caddy/setup/tls_test.go +++ b/caddy/setup/tls_test.go @@ -46,9 +46,9 @@ func TestTLSParseBasic(t *testing.T) { } // Ensure count is correct (plus one for TLS_FALLBACK_SCSV) - if len(c.TLS.Ciphers) != len(defaultCiphers) { + if len(c.TLS.Ciphers) != len(expectedCiphers) { t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v", - len(defaultCiphers), len(c.TLS.Ciphers)) + len(expectedCiphers), len(c.TLS.Ciphers)) } // Ensure ordering is correct